Xano Documentation
Best Practices
Xano recognizes the significance of information security. We've applied the most fitting security measures, procedures, controls, and practices intended to ensure that your data is safe.
Security is essential to us and the integrity of your application or business depends on it. This is why we've taken specific measures and installed security best practices so that you can build on Xano confidently.

Secure Data Storage

All data stored within Xano is encrypted at rest. Data is considered at rest when it resides on a storage device and is not being actively transferred through networks. Encryption in this state performs a secure encoding on the data to protect the data. Since the data is encrypted on the physical storage device an attacker must first steal the hard drive and then decrypt the encryption making it particularly difficult to hack. This type of data storage is highly recommended by industry and government regulations.

Secure Data Transmission

Transmission of data is done securely over SSL. SSL stands for Secure Socket Layer and is an industry standard for securing and encrypting data transmission. Not only is SSL near impossible to decrypt, it also provides a digital signature verifying that the data has not been tampered with providing data integrity. Additionally, SSL requires a level of authentication to ensure the communicating servers are in fact the correct ones.

Workspace (Project) Role Based Access Control

Access to workspaces (aka projects) is limited to the team settings defined on the instance, which is governed by the owner of the instance. The owner of the instance can add or delete team members. In addition, choose from different roles to restrict access.
The owner of the instance has control over team settings and governs access to the instance, including team member roles.

Password Encryption

Passwords are digitally signed with sha256 and unique salts so even if more than one person had the same password, it would not be possible to identify who those individuals would be.
Sha256 is one-way encryption meaning it cannot be decrypted back to the original text. Sha256 is one of the strongest hash functions available and was designed by the NSA.
Salting refers to adding random data to the input of a hash function, such as sha256, as a safeguard to ensure uniqueness against passwords that might be the same or common.

Login Authentication

Authentication is handled by JWE tokens, which is an industry standard.
Authentication is how a user logs in or signs up to an application. Xano provides secure out-of-the-box authentication via JWE (JSON Web Encryption) tokens. JWE tokens are self-contained and provide data integrity, authenticity, non-repudiation and confidentiality.
OAuth, which stands for β€œOpen Authorization,” allows third-party services to exchange your information without you having to give away your password.
OAuth providers such as Facebook, Google, LinkedIn, and GitHub login are available in the Xano marketplace to easily enable.


On Xano's dedicated resource plans, the user's Instance is on a single-tenant deployment or architecture. This means that the user is the only tenant on the server (Instance) architecture and that all the server resources and CPU are dedicated to the tenant. Single-tenancy has a variety of benefits including:
Data Separation - Data is kept separate from other users since the Instance is isolated. This allows for independency of data and greater customization of software and hardware.
Data Security - If one user has a breach of data, then another user is safe from the breach since their data is stored on a completely separate Instance.
Reliability & Performance - Since the Instance is only dependent and serving a single tenant, performance and reliability are significantly increased. The alternative would be the Instance serving many different users.
Recovery - With a single-tenancy backups are also isolated, making it easier and more reliable to restore from backups in the event of a disaster.


Additionally, Xano holds certifications reflecting our commitment and adherence to information security in an official arena.
Last modified 3mo ago