Last updated: 2026-05-18
Ptera uses Supabase Auth, supporting the following methods:
Signup and high-attempt sign-in are protected by Cloudflare Turnstile. Both flows are rate-limited per-IP and per-email. Apple OAuth is currently disabled.
User personal data (email, OAuth identifiers, MFA factors) is managed by Supabase Auth and accessed only via the service_role key on our server. API responses return only publicly shareable fields; email, stripe_customer_id, and internal auth IDs are never sent to the client.
All traffic is encrypted with TLS (HTTPS). API keys are kept in server-side environment variables; only NEXT_PUBLIC_-prefixed values are shipped to the browser bundle.
Row Level Security is applied across core tables so other users' private data is never returned. Authorization is enforced at the DB and server layers — never client-side.
Users have a 4-tier role system. Only owner can act on admin/owner targets (role change, ban, hard delete). No one — not even owner — can act on themselves.
We block major AI crawlers (GPTBot / ClaudeBot / CCBot / Applebot-Extended, etc.) via robots.txt and X-Robots-Tag (noai / noimageai) so that user-generated content is not silently used for AI training.
Important admin/moderator actions (role changes, bans, hard deletes, report resolutions) are written to audit_logs and visible only to staff. Used for incident investigation, compliance, and root-cause analysis.
Posts and comments use logical deletion (deleted_at) by default; physical deletion follows after a retention period. Account deletion cascades to related data. GDPR / APPI deletion requests are honored.
Posts, comments, users, and plans can be reported. Report data is invisible to the reported party; only moderators / admins / owners review them. Repeat-report abuse is throttled by rate limits and tracked in audit logs.
By default we only use strictly-necessary cookies (Supabase HttpOnly auth session, display preferences). Analytics cookies (Google Analytics) load only after explicit consent.
In the event of detected data leak or unauthorized access, we follow the steps below:
If you find a security issue, please report it via the contact form (Security category) rather than posting publicly. Include reproduction steps, impact, and a PoC if possible. We handle such reports promptly and with appreciation.