Skip to main content
Swifty
Back to Blog
authentication security login sessions

Secure Authentication

Swifty Team Feb 13, 2026 3 min read

Authentication is the gate between the public internet and your business data. A weak gate means your data is accessible to people it shouldn't be. An inconvenient gate means your team finds workarounds — shared credentials, staying logged in on shared computers, using weak passwords to make them easier to type.

Good authentication balances security and usability. Both sides of that balance matter.

Token-Based Authentication

Swifty uses token-based authentication. When a user logs in with valid credentials, they receive a session token — a cryptographic credential that identifies their authenticated session without transmitting their password on every request.

The token is stored securely and sent with each request to prove authentication. It's time-limited: tokens expire, reducing the window of exposure if a token is somehow compromised.

Automatic Session Refresh

Short token lifetimes are more secure but create usability problems if users get logged out in the middle of their work. The platform handles this with automatic refresh: while a user is actively working, their session token is refreshed transparently, extending the session without requiring re-authentication.

When a user closes their browser and returns later, they're prompted to log in again. The session doesn't persist indefinitely on an idle device — which matters for shared workstations and devices left unattended.

Brute-Force Protection

Login attempts are rate-limited. Repeated failed attempts trigger progressively longer delays and eventually a temporary lockout. This blocks automated credential-stuffing attacks that try thousands of username/password combinations.

Lockouts are logged and visible to administrators, so unusual login patterns are detectable.

Secure Credential Storage

Passwords are never stored in recoverable form. The platform stores a one-way cryptographic hash of each password — when a user logs in, the submitted password is hashed and compared to the stored hash. The original password cannot be reconstructed from the hash, even by someone with full database access.

Password reset flows send a time-limited, single-use link to the registered email address. There is no "retrieve your password" flow because there is no stored password to retrieve.

HTTPS Throughout

All authentication flows — login, token refresh, session management — run exclusively over encrypted connections. Credentials and tokens are never transmitted in plaintext. The encryption is enforced at the infrastructure level, not just advised.

Secure authentication is infrastructure, not a feature. It's the foundation everything else depends on.

Related posts

Composed Data Sources

Chain and relate data sources for rich dashboards — compose complex data views from simpler sources without writing code.

Computed Expressions

Transform data with template expressions and built-in functions — format, combine, and derive values from your data without code.

Cross-Source Data Joins

Combine data from multiple sources in one view — join records from your database with data from external services using a shared key.