Security & roles

Loma runs on your own infrastructure, so the security posture is yours to own. A few essentials:

Secrets hygiene

  • Never commit .env, credentials, private prompts, playbooks, or customer data. Company-specific knowledge belongs in your database and environment, not in source.
  • Integration credentials are encrypted at rest in the database.
  • In the dashboard Environment page, sensitive values (anything containing SECRET, KEY, TOKEN, PASSWORD, or ENCRYPTION) are masked; revealing a value requires an admin.

Roles

Access is role-based. Admins manage users, teams, and roles from the dashboard:

RoleTypical access
adminFull control, including users, roles, and configuration.
maintainerManage skills, flows, and integrations.
operatorRun and manage flows/automations.
analystRead access to skills, conversations, and data.
chatterUse the agent in chat.

The first user created with LOMA_SETUP_TOKEN becomes admin.

Reporting a vulnerability

Please report security issues responsibly — see SECURITY.md in the repository. Don’t open a public issue for a vulnerability.