> For a complete page index, fetch https://docs.synthflow.ai/llms.txt. For full documentation content, fetch https://docs.synthflow.ai/llms-full.txt.

# Security

> Configure 2FA, SSO, allowed email domains, and webhook signatures. Review Synthflow certifications and access the Trust Vault.

This page covers workspace security: [two-factor authentication](#two-factor-authentication), [single sign-on](#single-sign-on) with [allowed email domains](#allowed-email-domains), and [webhook signature validation](#webhook-security). Use these controls to limit who can join your workspace, how they authenticate, and whether incoming webhook traffic is genuine.

For compliance documents, subprocessors, and security controls, visit the [Trust Vault](https://security.synthflow.ai/). Some documents are private and require **Login/Get Access** on the vault.

## Certifications

Synthflow maintains independently verified security controls across the platform. To request certification documents, review subprocessors, or view control details, visit the [Trust Vault](https://security.synthflow.ai/).

Synthflow is compliant with:

* ISO 27001:2022
* SOC 2
* GDPR
* HIPAA
* PCI DSS V4.0.1

For HIPAA customers, see the [Business Associate Agreement](/baa). SSO and additional enterprise security features are available on the [Enterprise plan](/enterprise).

## Two-factor authentication

Two-factor authentication (2FA) adds a second verification step at sign-in using a **Time-based One-Time Password (TOTP)** from an authenticator app such as Google Authenticator, Authy, or Microsoft Authenticator. When your workspace requires 2FA, you must enable it to create and view API keys.

Enable 2FA in **Settings > Log in credentials**:

Go to **Settings > Log in credentials**.

In the **Two-factor authentication** section, start the 2FA setup (for example, **Activate 2FA**).

If you sign in with email and password, enter your account password when prompted. If you sign in with Google, you do not need to provide a password.

Scan the QR code with your authenticator app (or enter the setup key manually), then enter the 6-digit code from the app.

Save your **backup codes** in a secure place. You may not be able to view them again after setup.

After 2FA is enabled, you are prompted for a code each time you sign in. Backup codes are generated once during setup, can only be used **once**, and should be stored in a password manager or secure note.

In **Settings > Security**, workspace admins can require 2FA for all team members. Users who have not enabled 2FA must set it up at their next sign-in.

## Single sign-on

Single Sign-On (SSO) is available on [Enterprise plans](/enterprise) only.

SSO lets your team sign in through your identity provider instead of separate Synthflow credentials. Only **Super Admins** and **Admins** can configure SSO. See [roles](/user-management#roles) for details. Synthflow uses **WorkOS** as the SSO infrastructure provider.

### Allowed email domains

Restrict which email domains can receive workspace invitations. When one or more domains are configured, only matching addresses can be invited. If no domains are configured, invitations are open to all domains. The restriction applies to invite creation only; existing users are unaffected.

**Super Admins** and **Admins** manage allowed domains under **Settings > Security > Whitelist Domains**. **Members** cannot manage domains or invite users.

Navigate to **Settings > Security**.

Scroll to **Whitelist Domains** and click **Add domain**.

Enter a domain (for example, `example.com`).

Use bare domains like `example.com`. Do not include `@`, protocols, or paths.

To remove a domain, use the delete action next to it.

For agencies, domain restrictions apply at the agency workspace level and do not extend to subaccounts. Agency users can still access subaccounts regardless of their email domain.

### Enable SSO

Navigate to **Settings > Security** and provide:

* **Organization name** (defaults to your workspace name)
* At least one domain from your whitelist policy

![Enable SSO with organization name and allowed domain](https://storage.googleapis.com/granular-changelog/doc-images/sso_3.png)

After you submit the form, Synthflow creates an organization in WorkOS and redirects you to the identity provider connection list. You can return later to finish provider setup. Until the connection is completed, SSO remains pending and inactive.

Supported providers include Okta, Entra ID, Google SAML, Auth0, and others shown in the setup flow. Each provider has different setup requirements, so follow the in-app instructions for your identity provider.

![SSO enabled and active connection status](https://storage.googleapis.com/granular-changelog/doc-images/sso_1.png)

Workspace admins can disable SSO when needed. Disabling SSO blocks sign-in through your identity provider but does not remove the WorkOS organization or external provider connection.

## Webhook security

Synthflow signs every webhook with an HMAC-SHA256 signature using your shared secret key. The signature is sent in the `HTTP_SYNTHFLOW_SIGNATURE` header so your server can confirm the request came from Synthflow and was not altered in transit. HTTPS alone does not prove the sender is Synthflow; without signature validation, anyone who discovers your webhook URL could send forged payloads.

Generate a secret key under **Settings > Security > Webhooks**. Synthflow signs the `call_id` with that key and includes the base64-encoded result on both the [inbound webhook](/webhooks#inbound-webhook) and the [post-call webhook](/webhooks).

Verify the signature on your server using the same secret key and the received `call_id`:

```python
import hmac
import hashlib
import base64

def generate_hmac_signature(secret_key: str, payload: str) -> str:
    signature = hmac.new(secret_key.encode(), payload.encode(), hashlib.sha256).digest()
    return base64.b64encode(signature).decode()

def verify_hmac_signature(secret_key: str, payload: str, received_signature: str) -> bool:
    expected_signature = generate_hmac_signature(secret_key, payload)
    return hmac.compare_digest(expected_signature, received_signature)

call_id = "123456789"
secret_key = "your-secret-key"
signature = "abc123"
is_signature_valid = verify_hmac_signature(secret_key, call_id, signature)
print(is_signature_valid)
```

If verification returns `True`, the webhook originated from Synthflow and the payload was not modified in transit. Use constant-time comparison (as shown above) to avoid timing attacks.

## FAQ

Only **Super Admins** and **Admins** can configure SSO, allowed email domains, and mandatory 2FA. See [roles](/user-management#roles) for the full permission breakdown.

No. Allowed email domains control who can be invited. SSO controls how invited users authenticate. Both work together.

Yes. After creating the WorkOS organization, you can return later to complete the identity provider connection. Until setup finishes successfully, the connection remains pending and inactive.

Users who authenticate through SSO cannot access the workspace via SSO until it is enabled again. Disabling SSO does not delete the WorkOS organization or external identity provider connection.

Yes. You can update or reconfigure your SSO connection from the SSO settings flow.

When prompted for your 2FA code, choose the option to use a **recovery code**, enter one of your backup codes exactly as shown, then complete sign-in. Each code works only once.

Domain restrictions apply to invite creation at the agency workspace level only. They do not apply to subaccounts. Agency users can access subaccounts regardless of their email domain.

Yes. You can configure the same allowed domains in multiple workspaces.

Synthflow includes `HTTP_SYNTHFLOW_SIGNATURE` on both the [inbound webhook](/webhooks#inbound-webhook) and the [post-call webhook](/webhooks). Generate your secret key under **Settings > Security > Webhooks**.