dialnote takes security seriously at every level — from how you sign in, to how your data is stored, to how your API keys are managed. Here's a look at the protections built into your account.
Authentication#
dialnote supports multiple ways to sign in:
- Email and password — Passwords must be 8–128 characters. After signup, you'll get an email verification link that's valid for 24 hours.
- Social login — Sign in with Google, Microsoft, or Apple. These providers are trusted for automatic account linking when the email matches a verified account.
All sign-in methods create a secure session that lasts 7 days. Sessions refresh automatically when you're active, so you won't get logged out while you're working. Cookies are HTTPS-only and use secure attributes in production.
Pro tip
If you use social login, your account is automatically linked to any existing dialnote account with the same verified email address. You don't need to create a separate account.
Role-Based Access Control#
Every dialnote workspace uses role-based permissions to control who can do what:
| Role | What they can do |
|---|---|
| Owner | Full control — manage billing, invite members, configure all settings |
| Admin | Invite members, manage phone numbers, configure workspace settings |
| Member | Make and receive calls, access contacts, use assigned phone numbers |
Phone numbers have their own access levels too. When you share a number with a team member, you can assign Owner (full control), Shared User (call and message access), or View Only (read-only) permissions.
Note
Only workspace owners and admins can invite new team members. Members can't change workspace-level settings.
Data Protection#
dialnote protects your data both in transit and at rest:
- Encryption in transit — All connections use TLS/HTTPS. API requests, browser sessions, and WebSocket connections are all encrypted.
- Encryption at rest — Sensitive credentials like telephony API keys are encrypted before storage. Passwords are securely hashed and never stored in plain text.
- Sensitive data masking — Authorization headers, cookies, and API keys are automatically masked in request logs so they're never exposed in application logging.
- Security headers — The backend uses Helmet.js to set security headers that protect against common web vulnerabilities like XSS and clickjacking.
API Key Security#
If you use the dialnote API, your keys are protected with several safeguards:
- API keys follow the format
dn_live_{prefix}_{secret}and are generated with cryptographic randomness. - Keys are stored as SHA-256 hashes — the raw key is only shown once at creation time.
- Each workspace can have up to 10 active API keys.
- Key prefixes are masked for safe display in the dashboard (you'll only see the first few characters).
- API authentication uses timing-safe comparison to prevent timing attacks.
Warning
Store your API key somewhere safe right after creating it. dialnote can't show you the full key again — you'd need to generate a new one.
Rate Limiting#
dialnote applies rate limits to protect against abuse and keep the platform stable for everyone:
- API endpoints — Rate limiting is enabled by default across all endpoints.
- Demo bookings — Limited to 5 requests per hour per IP address.
- AI features — Agent builder and message bot testing have hourly rate windows with automatic 15-minute cooldowns if exceeded.
If you hit a rate limit, you'll get a clear error response. Wait for the cooldown period and try again.
Session Management#
Sessions are designed to be secure without getting in your way:
- Sessions expire after 7 days of inactivity.
- Active sessions refresh every 24 hours automatically.
- Session data is cached in Redis with a 3-hour refresh cycle for fast authentication checks.
- Each session tracks the user agent and IP address for audit purposes.
- CORS is configured with a strict origin whitelist — only approved domains can make authenticated requests.
What's Next#
- Two-Factor Authentication — Add an extra layer of protection to your account
- Single Sign-On (SSO) — Connect your identity provider for team-wide access