Best Practices

Xano recognizes the significance of information security. We've applied the most fitting security measures, procedures, controls, and practices intended to ensure that your data is safe.

Security is essential to us and the integrity of your application or business depends on it. This is why we've taken specific measures and installed security best practices so that you can build on Xano confidently.

Secure Data Storage

All data stored within Xano is encrypted at rest. Data is considered at rest when it resides on a storage device and is not being actively transferred through networks. Encryption in this state performs a secure encoding on the data to protect the data. Since the data is encrypted on the physical storage device an attacker must first steal the hard drive and then decrypt the encryption making it particularly difficult to hack. This type of data storage is highly recommended by industry and government regulations.

Secure Data Transmission

Transmission of data is done securely over SSL. SSL stands for Secure Socket Layer and is an industry-standard for securing and encrypting data transmission. Not only is SSL near impossible to decrypt, it also provides a digital signature verifying that the data has not been tampered with providing data integrity. Additionally, SSL requires a level of authentication to ensure the communicating servers are in fact the correct ones.

Workspace (Project) Role Based Access Control

Access to workspaces (aka projects) is limited to the team settings defined on the instance, which is governed by the owner of the instance. The owner of the instance can add or delete team members. In addition, choose from different roles to restrict access.

Password Encryption

Passwords are digitally signed with sha256 and unique salts so even if more than one person had the same password, it would not be possible to identify who those individuals would be.

Sha256 is one-way encryption meaning it cannot be decrypted back to the original text. Sha256 is one of the strongest hash functions available and was designed by the NSA.

Salting refers to adding random data to the input of a hash function, such as sha256, as a safeguard to ensure uniqueness against passwords that might be the same or common.

Login Authentication

Authentication is handled by JWE tokens, which is an industry standard.

Authentication is how a user logs in or signs up to an application. Xano provides secure out-of-the-box authentication via JWE (JSON Web Encryption) tokens. JWE tokens are self-contained and provide data integrity, authenticity, non-repudiation and confidentiality.

OAuth, which stands for “Open Authorization,” allows third-party services to exchange your information without you having to give away your password.

OAuth providers such as Facebook, Google, LinkedIn, and GitHub login are available in the Xano marketplace to easily enable.


On Xano's dedicated resource plans, the user's Instance is on a single-tenant deployment or architecture. This means that the user is the only tenant on the server (Instance) architecture and that all the server resources and CPU are dedicated to the tenant. Single-tenancy has a variety of benefits including:

Data Separation - Data is kept separate from other users since the Instance is isolated. This allows for independence of data and greater customization of software and hardware.

Data Security - If one user has a breach of data, then another user is safe from the breach since their data is stored on a completely separate Instance.

Reliability & Performance - Since the Instance is only dependent and serves a single tenant, performance and reliability are significantly increased. The alternative would be the Instance serving many different users.

Recovery - With a single-tenancy backups are also isolated, making it easier and more reliable to restore from backups in the event of a disaster.

Password Requirements

Xano requires password minimums for logging in to a Xano account. A password must be a minimum of eight (8) characters, maximum of 256 characters, at least one (1) alphabetic character, and at least one (1) numeric character. These password requirements are only for login by email and password.

Password requirements for Single Sign-On (SSO) are managed by the SSO provider.

2FA Security

Two-factor authentication (2FA) security, or two-step authentication, can be enabled for logging in to a Xano account. 2FA security requires the use of two different forms of identification to access and authenticate an account. It is an extra layer of security beyond email and password credentials that secures an account by requiring an authentication step from something that belongs to the user.

2FA security can be enabled from the account page of a Xano account. Learn how to enable 2FA.

Inactivity Timeout

To protect your privacy, Xano includes an inactivity timer which will log you out after 2 hours of inactivity by default, but this can be adjusted or disabled entirely via your account settings. This is based on mouse activity and works across multiple tabs.


On certain Xano plans, you have the ability to enable security policy enforcement through your Instance settings.

Require 2FA enforces that your users not only have two-factor authentication enabled, but that they have logged in using that method.

Authentication Enforcement enables requiring your team members to authenticate using one or more of the enabled services you choose.

Allowed SSO Hosts enforces the email address domains allowed when team members log in. As an example, if we wanted our team members to only authenticate using Github accounts that use a email address, we could check Github under Authentication Enforcement, and add as an allowed SSO host.

Certifications & Compliance

Additionally, Xano holds certifications reflecting our commitment and adherence to information security in an official arena.

Last updated