Organization-based access
Toastti is structured so each workspace owns its own products, inventory, listings, sales, reports, and operational history.
security
Security at Toastti
Toastti is designed with tenant separation, role controls, server-side credential handling, and export sanitization in mind.
Role-based permissions
Owner, admin, manager, staff, and viewer roles separate team management, operational actions, reporting, and read-only access.
API credential encryption
Marketplace credentials are designed to be encrypted server-side and never exposed in client components.
Audit logs
Sensitive organization activity can be recorded for owner/admin review with metadata redaction helpers.
Data exports
Export tools sanitize secret-like fields and avoid API credentials, tokens, passwords, and encrypted values.
Supabase RLS readiness
SQL setup includes organization-scoped RLS policies as a database backstop in addition to server-side route checks.
Secret handling
Server-only keys stay out of browser code, local seed mode avoids storing API credentials, and logs avoid raw secrets.