Security & roles
Loma runs on your own infrastructure, so the security posture is yours to own. A few essentials:
Secrets hygiene
- Never commit
.env, credentials, private prompts, playbooks, or customer data. Company-specific knowledge belongs in your database and environment, not in source. - Integration credentials are encrypted at rest in the database.
- In the dashboard Environment page, sensitive values (anything containing
SECRET,KEY,TOKEN,PASSWORD, orENCRYPTION) are masked; revealing a value requires an admin.
Roles
Access is role-based. Admins manage users, teams, and roles from the dashboard:
| Role | Typical access |
|---|---|
admin | Full control, including users, roles, and configuration. |
maintainer | Manage skills, flows, and integrations. |
operator | Run and manage flows/automations. |
analyst | Read access to skills, conversations, and data. |
chatter | Use the agent in chat. |
The first user created with LOMA_SETUP_TOKEN becomes admin.
Reporting a vulnerability
Please report security issues responsibly — see SECURITY.md in the repository. Don’t open a public issue for a vulnerability.