Skip to content
CodeTeleport

Security

CodeTeleport is designed to handle sensitive data — your AI coding sessions contain source code, file paths, and conversation history. Here’s how we protect it.

Authentication

Section titled “Authentication”

CodeTeleport uses a two-layer authentication model:

  • JWT tokens — issued on login (email/password or GitHub OAuth), expire after 7 days. Used for the dashboard and initial CLI authentication.
  • API tokens — long-lived tokens with a ctk_live_ prefix, used by the CLI and MCP server. Stored as SHA-256 hashes in the database — the raw token is never stored, only the hash.

API tokens are created during codeteleport auth login and saved to ~/.codeteleport/config.json with chmod 600 (owner-only read/write).

See Authentication for setup details.

Transport

Section titled “Transport”

All communication between your machine and CodeTeleport servers uses HTTPS (TLS 1.2+). This includes:

  • API requests to api.codeteleport.com
  • Bundle uploads and downloads via presigned R2 URLs
  • GitHub OAuth callbacks
  • Dashboard at app.codeteleport.com

No data is ever transmitted in plaintext.

Storage

Section titled “Storage”

Session bundles are stored in Cloudflare R2 (S3-compatible object storage):

  • Encrypted at rest by Cloudflare
  • Stored in a dedicated bucket with per-user key namespacing (bundles/<user-id>/<session-id>.tar.gz)
  • Presigned URLs for upload/download expire after 5 minutes
  • The API server never streams bundle contents through itself — your machine talks directly to R2

User data (accounts, session metadata, device records) is stored in Turso (distributed SQLite):

  • Encrypted at rest
  • Passwords hashed with bcrypt (10 rounds)
  • API tokens stored as SHA-256 hashes

Data Isolation

Section titled “Data Isolation”

Every user’s data is strictly isolated:

  • Sessions are namespaced by user ID in both the database and R2 storage
  • API endpoints verify ownership before any read, write, or delete operation
  • Multi-user isolation is verified in our test suite — a user cannot access another user’s sessions, devices, or tokens
  • OAuth account linking matches by verified email only

What CodeTeleport can see

Section titled “What CodeTeleport can see”

Metadata we read:

  • Session size, message count, timestamps
  • Project name (directory basename)
  • Source machine name
  • Claude model used

Bundle contents we store but don’t inspect:

  • Session bundles are opaque .tar.gz blobs
  • We upload and download them without parsing their contents
  • Your conversation messages, code, and file history are inside the bundle but CodeTeleport never reads them server-side

What CodeTeleport does NOT do

Section titled “What CodeTeleport does NOT do”
  • We do not train on your data
  • We do not share your data with third parties
  • We do not access your ~/.claude/ directory on our servers — bundles are created locally on your machine
  • We do not modify your local Claude Code data — ~/.claude/ is read-only from our perspective
  • We do not log or store bundle contents server-side (only metadata)

Planned: End-to-End Encryption

Section titled “Planned: End-to-End Encryption”

We plan to add client-side encryption (AES-256-GCM) so that bundles are encrypted before leaving your machine. With E2E encryption:

  • The server stores encrypted blobs it cannot decrypt
  • Only your devices with the encryption key can read the session data
  • Key management will be handled locally

This is on our roadmap — we’ll update this page when it ships.

Reporting Security Issues

Section titled “Reporting Security Issues”

If you discover a security vulnerability, please email security@codeteleport.com (or reach out via GitHub). We take security reports seriously and will respond promptly.