DocsBack to homepage

Start Here

  • Getting Started
  • Key Concepts

Design Tokens

  • Token Types
  • Token Modes
  • Token Enforcement
  • Deprecated Tokens
  • Quality and Accessibility

Components

  • Component Builder
  • Composition Rules

Publishing

  • Publishing
  • Docs Mode
  • Changelog Notifications
  • Notifications and Alerts

Integrations

CLI & Data

  • CLI Reference
  • CLI Configuration
  • Import Formats
  • Importing Tokens
  • Export Formats

Tooling

  • Studio AI Assistant
  • Figma Plugin
  • API Reference
  • Webhooks

Account & Billing

  • Audit Log
  • Security and Access
  • Account Security
  • Pricing and Payments

Documentation

Security and Access

This page covers how ReframeUI authenticates users, how API keys work, what each role can do, and how your organization's data stays separate from others. It is written for engineers and security reviewers. For vulnerability disclosure, see the responsible disclosure section below.

Authentication methods

ReframeUI supports three authentication paths:

  • •Email and password. Members sign in with an email address and password. Sessions are managed server-side.
  • •SAML 2.0 / SSO (Pro). Organizations on the Pro plan can configure a SAML 2.0 identity provider. Once configured, all Studio access routes through your IdP. Members who have not authenticated via the IdP cannot access the organization.
  • •Two-factor authentication. Any member can enable TOTP-based 2FA from their account settings. Enabling or removing 2FA is recorded in the audit log under the user_2fa entity type. For a step-by-step setup walkthrough, see Account Security.

API keys

API keys are used for programmatic access: the reframe CLI, webhooks, and CI integrations. Keys are scoped per project. A key grants access only to the project it was created for. For the full list of operations a key authorizes, see the API reference.

API key creation and deletion are recorded in the audit log under the api_key entity type.

Permission model

ReframeUI has two member roles. Permissions are set at the organization level. There are no per-project role overrides.

RoleWhat they can do
EditorFull read and write access in Studio: create and edit tokens, manage branches, publish releases, access the audit log, and invite members (if org owner)
Viewer (consumer seat)Read-only access to published packages and the Figma plugin. No write access to Studio.

Organization owners can invite and remove members, configure SSO, and manage billing. Ownership is separate from the Editor/Viewer distinction: an owner is always an editor seat.

Data isolation

Each organization's data is isolated from all others. Tokens, components, and published packages from one organization are never accessible from another, regardless of plan or configuration.

Within an organization, each design system project is isolated from other projects. Members can only see projects they have been granted access to.

Published packages are versioned snapshots. A consumer app is only affected by changes it explicitly pulls. There is no live endpoint that can push breaking changes to a consumer without a deliberate update on their end.

Private docs portals

Published documentation portals can be set to private. Visitors who are not authenticated members of the organization see a gated view and cannot access the content.

Access to a private portal is controlled by org membership. Any member with a Viewer or Editor seat can access private portals for that organization. There is no separate portal-level access list.

Audit capabilities

All write actions in Studio are recorded: token changes, publishes, branch operations, member changes, API key lifecycle, and authentication events.

The audit log is available on the Pro plan. For the full event taxonomy, retention period, and CSV export instructions, see the Audit Log reference.

Responsible disclosure

Report vulnerabilities to security@reframeui.app. You will receive an acknowledgment within 48 hours. For severity classifications and the full disclosure policy, see SECURITY.md in the GitHub repository.

Related: Audit Log for the full event taxonomy and export options, API reference for key scopes and programmatic access, Pricing for plan-gated features, Account Security for the personal settings walkthrough.