Tractorscope security is based on account isolation, controlled database access, permissioned dashboards, server-side embed signing, and network controls.
Account access
Users access Tractorscope through accounts. Account admins invite users, deactivate users, manage groups, and assign dashboard permissions.
Authentication
Tractorscope supports login flows, password reset, and two-factor authentication. Enable two-factor authentication for users who need stronger login protection.
Database credentials
Database credentials are stored by Tractorscope so charts, dashboards, alerts, and reports can run queries. Use least-privilege database users whenever possible.
Dashboard permissions
Use groups to control dashboard access. Give edit access only to users who should change dashboard queries, layout, sharing, or embeds.
Embeds
Embeds use signed payloads generated with API keys. API keys should stay server-side. Allowed domains help control where embeds can run.
For customer-facing embedded analytics, the safest pattern is to generate signed embed payloads on your backend and include any tenant filters in that signed payload.
Network controls
Use SSH tunnels for private databases and fixed outgoing IPs when database firewalls require allowlisted IP addresses.
Best practices
- Enable two-factor authentication.
- Use least-privilege database users.
- Keep API keys out of client-side code.
- Revoke unused API keys.
- Use allowed domains for embeds.
- Review group access regularly.