Auth & Access

How the agent authenticates, console sign-in, vulnerability handling, security review, internal access, and analytics-tool credentials.

How does authentication work

The agent and apps use a scoped, rotatable, per-environment API key (the X-10X-Auth header), never a shared master credential. The same key authenticates any edge or cloud app sending metrics. Keys are generated via REST API with full lifecycle management (rotate, revoke, regenerate) and scoped per environment and team.

The hosted console (optional, for evaluation) signs in differently depending on where it runs:

• Hosted: Auth0 with enterprise SSO (SAML 2.0, OIDC), MFA, session timeout
• Self-managed: your OAuth provider or a deployed Keycloak instance
• Air-gapped: on-premises OAuth with no external dependencies

Access scoping: API keys are scoped per environment and user. Console access, if used, has three levels: Owner (full control), Write (modify settings), and Read (view dashboards).

How are vulnerabilities handled

Dependency updates monitored continuously.

• Critical vulnerabilities (CVSS 9.0+): 48-hour SLA
• All other severities: 30-day SLA
• Reporting: security@log10x.com, response within 24 hours
• Disclosure: coordinated disclosure with recognition for valid findings

Attack surface context: 10x has no inbound network listeners. The Reporter tails logs directly (DaemonSet); the Receiver uses local IPC between the forwarder and the sidecar. Outbound connections are limited to the metrics push (HTTPS to your metrics backend).

Container security: Deployment model varies by forwarder. OTel Collector and Logstash run the Receiver as a separate sidecar container (non-root, read-only root filesystem, independent resource limits). Fluentd, Fluent Bit, and Filebeat embed 10x as a child process within the forwarder container, inheriting its security context. The Reporter always deploys as a standalone DaemonSet pod, independent of the forwarder container. See Deployment Models for details.

Can we do a security review before purchasing

Yes. Enterprise customers can schedule architecture reviews with our founders. We walk through data flows, discuss deployment models, and answer technical questions.

Documentation available:

• Architecture diagrams and data flow docs
• Software Bill of Materials (SBOM) with SHA256 digests for container images
• SIG Lite questionnaire responses
• Sample DPA and Terraform templates

Customers may conduct their own security assessment of edge app container images. Contact security@log10x.com to coordinate.

Who at Log10x can access my metrics data

If you use the hosted metrics backend: access to your Prometheus and Grafana instances is limited to engineering leads for operational support, audited via AWS CloudTrail. Access logs are available on request. Contact security@log10x.com.

By default (your own TSDB): Log10x has zero access to your infrastructure, metrics, or dashboards.

How are analytics tool credentials managed

API keys for Splunk, Datadog, GitHub, etc. remain in your infrastructure, never transmitted to log10x.

10x runs within your environment and connects to analytics tools using your existing network access.