Security

Wendy is built on a foundation of mutual TLS, cryptographic device identity, and role-based access control. Security is not an add-on — it's how the platform works.

Device Identity

Every device gets a unique X.509 certificate during provisioning. This certificate is the device's cryptographic identity — it's how Wendy Cloud recognizes and trusts your hardware.

Certificates are issued by Wendy's managed PKI (or your own self-hosted pki-core instance)
Enrollment uses a short-lived, single-use token so credentials are never reused
The device's trust bundle supports CA key rollover, so certificate rotation doesn't interrupt your fleet

All communication between devices and the cloud uses mutual TLS (mTLS). Both sides present certificates — the device proves it's a real enrolled device, and the cloud proves it's the real Wendy Cloud.

CLI connections use the same model. When you run wendy cloud tunnel, your developer machine authenticates with a user certificate issued at login.

Access Control

Organizations in Wendy Cloud have fine-grained roles:

Role	What they can do
Owner	Full access — billing, settings, team management
Admin	Manage devices, apps, and deployments
Member	Deploy and manage apps
Viewer	Read-only access

Every API call is checked against your organization's policy before anything happens.

Authentication Methods

Interactive Login

Personal Access Tokens

For CI/CD pipelines and scripts. Tokens are scoped to your account and can be revoked at any time.

Device Certificates

Devices authenticate with X.509 client certificates over mTLS — no passwords, no shared secrets.

Self-Hosted PKI

If you need to keep your certificate authority on-premises, Wendy offers pki-core — a self-hosted PKI engine. Point the CLI at it and the full mTLS stack works without any cloud dependency. Contact us to learn more.

Reporting Issues

Found a security vulnerability? Email security@wendylabs.com — we respond promptly to all responsible disclosures.