This page covers the built-in security measures and governance controls that WonkaChat provides out of the box.
Governance
Control what AI models, tools, and agents are available in your organization. WonkaChat comes with extensive capabilities out of the box, but you can customize your deployment to include only what’s relevant for your company. This helps reducing complexity, minimizing unnecessary access, and maintaining a focused, secure environment.Organization Access
MCP Selection
Wonka configures which MCP servers are available to your organization, ensuring only approved tools are accessible.
AI Model Selection
Administrators control which AI models and providers (OpenAI, Anthropic, Google, etc.) users can access within the organization.
Security Architecture
WonkaChat implements enterprise-grade security with multiple layers of protection.Authentication System
WonkaChat uses a secure, token-based authentication system to protect user access:Access Tokens (15 minutes)
Access Tokens (15 minutes)
Short-lived access tokens allow users to authenticate and interact with the platform. These tokens expire after 15 minutes, minimizing the risk of unauthorized access if compromised.
Refresh Tokens (7 days)
Refresh Tokens (7 days)
Refresh tokens maintain user sessions for up to 7 days without requiring re-authentication. After 7 days, users need to log in again.
JWT Technology
JWT Technology
WonkaChat uses JSON Web Tokens (JWT) for secure, stateless authentication. JWTs are cryptographically signed to prevent tampering and verify authenticity.
This dual-token approach balances security (short-lived access) with user convenience (session persistence).
Authentication Providers
Multiple authentication methods are available to integrate with your existing identity systems:- Available Now
- Coming Soon
WonkaChat currently supports these authentication providers:
- Local Authentication: Username and password authentication
- OpenID Connect: Integration with OpenID-compliant identity providers
- Azure AD / Entra ID: Direct integration with Microsoft Azure Active Directory
Rate Limiting & Abuse Prevention
WonkaChat implements rate limiting to protect against brute force attacks and system abuse. Rate limits are applied across critical operations including login attempts, registration, password resets, administrative actions, and general API usage.Rate limits protect your organization from automated attacks while allowing normal user activity.
Data Privacy
Your data remains secure and private throughout all interactions with WonkaChat.Privacy Guarantees
Multi-Tenant Isolation
Complete data isolation between organizations through subdomain-based routing (https://.wonka.chat). No accidental data exposure across tenants.
No Model Training
Your conversations and data are never used to train AI models. Model providers process requests temporarily without retention. Your data stays in WonkaChat where you control it.
Encrypted in Transit
All data transmitted to and from WonkaChat is encrypted using HTTPS/TLS protocols for secure API communications.
Encrypted at Rest
Data stored in WonkaChat’s MongoDB databases is protected with encryption-at-rest support to secure your information.
Data Encryption
In Transit Protection
In Transit Protection
HTTPS/TLS for all communications:
- All API calls use secure HTTPS/TLS protocols
- Data is encrypted during transmission between your browser and WonkaChat servers
- Secure connections to AI model providers (Azure, AWS Bedrock)
At Rest Protection
At Rest Protection
MongoDB encryption and secure storage:
- Passwords: Hashed with bcrypt using salt rounds (never stored in plain text)
- Tokens: JWT signing with strong cryptographic secrets
- Database: MongoDB encryption-at-rest support for all stored data
- API Keys: Never logged in plain text
Automatic Redaction
Automatic Redaction
Sensitive data protection in logs:
- All logs automatically redact sensitive patterns (passwords, tokens, keys)
- API keys and authentication tokens are never logged in plain text
- Token rotation prevents long-term exposure
- Passwords are hashed with bcrypt before any storage
Even system administrators cannot access your passwords or sensitive credentials in logs or databases.
Multi-Tenant Data Isolation
WonkaChat ensures complete separation between organizations:- Organization-Scoped Data
- Subdomain Routing
Every piece of data in WonkaChat is scoped to your organization:
- Conversations and chat history
- AI agents and configurations
- User accounts and permissions
- MCP connections and tool settings
- Audit logs and activity records
Data from one organization is completely isolated and inaccessible to other organizations.
Model Provider Security
Azure & AWS Bedrock APIs
Azure & AWS Bedrock APIs
WonkaChat connects to AI models through secure Azure and AWS Bedrock APIs. Your data is processed in real-time and never stored or retained by model providers.
Ephemeral Model Processing
Ephemeral Model Processing
When you interact with an AI model, your prompts and responses are sent to the model provider, processed in memory, and immediately discarded by the provider after generating the response.Your conversations are securely stored in WonkaChat for you to access your history, but model providers (Azure, AWS) never retain, store, or use your data for training or any other purpose.
Your conversation history is securely stored in WonkaChat where you control it. Model providers only process requests temporarily without any data retention or reuse.
Privacy Policy
For comprehensive details on how WonkaChat handles, processes, and protects your data, please review our Privacy Policy.WonkaChat Privacy Policy
Read our complete Privacy Policy to understand data collection, usage, storage, and your rights as a WonkaChat user.
MCP Security Controls
WonkaChat supports MCP (Model Context Protocol) servers with granular security configuration and multi-user isolation.Multi-User Isolation
User-Specific Token Storage
User-Specific Token Storage
Each user’s MCP authentication tokens are stored separately and securely:
- Tokens are isolated per user account
- No cross-user token access or sharing
- Automatic token cleanup on user deactivation
Your MCP credentials are never accessible to other users, even within the same organization.
Session-Based Authentication
Session-Based Authentication
MCP connections use session-based authentication for security:
- Automatic user identification via request headers
- Session validation on every MCP operation
- Timeout enforcement to prevent stale sessions
Authentication Strategies
Authentication Strategies
WonkaChat supports multiple MCP authentication methods:
- in-tool: User authenticates directly within the connected tool
- oauth: OAuth 2.0 flow for secure, delegated access
- api-key: API key-based authentication for service integrations
The authentication strategy is determined by the MCP server provider and cannot be changed by your organization.
No Permission Escalation
Inherit Your Permissions
MCP connections inherit your exact permissions when accessing connected tools. They cannot access anything you couldn’t access manually.
No Admin Bypass
MCP connections cannot be used to override, bypass, or escalate permissions in connected systems. Your security policies remain fully enforced.
What You Can Control
While WonkaChat provides robust built-in security, you control additional layers:Access Control
Manage user roles and control who can access specific agents
Tool Restriction
Restrict which MCP tools and connections are available
Best Practices
Follow recommended guidelines for safe AI usage in your organization
Combining WonkaChat’s built-in security with your organization’s access controls and practices creates a comprehensive security framework.