Access Controls & Authentication

Last updated: April 17, 2026

Available on: Mac, Windows, iOS, Android

Wispr Flow uses enterprise-grade access controls to protect your data — including multiple sign-in methods, role-based permissions, session security, and SSO integration to ensure only authorized users access your information.

What it is

Access controls determine who can sign in to Wispr Flow and what they can do once authenticated. Flow supports multiple sign-in methods, enterprise SSO integration, and role-based permissions for team accounts.

How it works in Flow

Overview

Flow combines multiple authentication methods, session management, and role-based permissions to secure access across all platforms.

Key behaviors

Flow supports multiple secure sign-in methods to fit your workflow and organization's requirements.

  • OAuth providers: Sign in with Google, Apple, or Microsoft.

  • Enterprise SSO: Single Sign-On via your identity provider.

  • Email and password: Standard credential-based login.

Note: On the desktop app (Mac and Windows), all sign-in options are accessed through a single "Sign in via browser" button. Your browser opens and lets you choose your preferred method. The browser sign-in session expires after 5 minutes — if not completed, click "Sign in via browser" again.

Note: On iOS, Google and Apple sign-in are shown by default. Microsoft, SSO, and email/password options appear after tapping "More Options."

Security measures

  • Email verification: Required before first sign-in.

  • Session tokens: Time-based expiry (default 1 hour) with explicit revocation support.

  • CAPTCHA challenges: Enforced on iOS for account creation, password reset, and verification email resends. Android and desktop browser flows use standard endpoints.

  • PKCE protection: OAuth code exchange flows use Proof Key for Code Exchange (PKCE) to prevent authorization code interception attacks. PKCE sessions have a 30-minute TTL.

  • Anti-enumeration: Sign-up attempts with existing emails return a success response rather than an error, preventing attackers from determining which email addresses have accounts.

Password requirements

  • Minimum length: 6 characters (enforced on iOS and Android). Maximum length: 72 characters (enforced on Android only — iOS has no client-side maximum). Android also blocks passwords that exactly match the user's full name (case-insensitive). Desktop defers to the authentication provider via browser-based login.

  • Storage: Passwords are securely hashed by the authentication provider — Wispr Flow does not store passwords directly.

  • Reset: Via email with CAPTCHA verification, rate limited to 3 requests per 30 minutes per email/IP.

  • Email aliases: Email addresses containing "+" (e.g., user+tag@example.com) are not supported for account registration.

  • Numeric email local parts: Email addresses with all-numeric local parts (e.g., 123456@example.com) are blocked at sign-up.

Session security

  • JWT tokens: Signed with HS256. Token expiry is configured in the authentication provider (Supabase).

  • Token revocation: Platform tokens can be individually revoked via API. JWT tokens are validated statelessly by signature; API keys are validated against a Redis cache backed by the database.

  • Session recovery: If your session expires, the app automatically attempts to refresh it. The app proactively refreshes tokens before they expire.

  • Device code sessions: 5-minute TTL for device authentication flows.

  • API keys: Use fl- prefix format (35 characters), stored with bcrypt hashing, validated with Redis caching (5-minute TTL).

Important: Resetting your password immediately invalidates all existing sessions across all devices. Session invalidation is best-effort — if the sign-out request fails due to a network error, the password change still completes but old sessions may remain active until their natural expiry.

Role-based access control

Enterprise accounts support three roles with distinct permissions:

  • Admin: Manage team settings, invitations, and billing.

  • SuperAdmin: Functionally equivalent to Admin — both roles have the same permissions in the current implementation.

  • Member: Standard access to Flow features.

Note: For enterprises using SCIM directory sync, user management is delegated to the identity provider — manual additions and removals are blocked.

Enterprise SSO and SCIM

Enterprise customers can configure Single Sign-On via WorkOS, supporting both SP-initiated and IdP-initiated authentication flows.

  • SSO enforcement: When enabled, email/password and OAuth provider login are blocked for affected users — they are redirected to SSO instead.

  • Subscription dependency: SSO enforcement requires an active enterprise subscription. If the subscription lapses, SSO enforcement is automatically disabled.

  • SCIM directory sync: Enables automated user provisioning and deprovisioning through your identity provider.

  • Automated access control: With SCIM active, the "Add new user" button and Approve/Deny actions are hidden in the desktop team management interface. A SCIM delegation message is shown in the Other Domain Users tab. User additions should be performed through the identity provider.

  • SCIM seat cap: If the enterprise has reached its seat limit, new user provisioning via SCIM is blocked (returns HTTP 200 to prevent retries, with no user-facing notification). The email invitation fallback is also blocked when the seat cap is exceeded.

  • SCIM domain blocking: Users cannot sign up (via email, OAuth, or any method) using an email address from a SCIM-managed enterprise domain. They must be provisioned through the identity provider.

Access termination

  • SCIM-enabled enterprises: Access is automatically revoked when a user is removed from the identity provider. Pending invitations are also revoked.

  • Non-SCIM enterprises: Admins can manually remove members through the team management interface.

Customer data segregation

  • Enterprise isolation: Each enterprise has its own teams, domains, subscriptions, invitations, and join requests with cascade-delete enforcement.

  • Access scoping: Enterprise data operations are scoped by enterprise ID, with authentication required for all API endpoints.

  • Domain visibility: Enterprise domains can be soft-deleted (hidden from settings, auto-invite disabled, removed from SSO) without permanent data deletion.

Enterprise admin functions

  • Settings and member management: Require the Admin role within the enterprise.

  • Enterprise-level settings: Zero Data Retention, local data deletion, SSO enforcement, and Context Awareness require an enterprise plan with active subscription.

  • Local data deletion policies: On desktop, three options are available — Store Normally (default), Delete After 24 Hours (data older than 1 day cleared on app launch), and Never Store (all local data cleared on every app launch). The enterprise policy sets a minimum restrictiveness floor — users can only choose equally or more restrictive options. When set to Never Store, the setting is fully locked. Existing local data is immediately deleted to enforce compliance when a policy is activated.

  • HIPAA compliance: Once a HIPAA BAA is signed, Zero Data Retention cannot be disabled.

  • Organization-level ZDR enforcement: Zero Data Retention can also be enforced organization-wide by enterprise admins, independent of HIPAA BAA. Once enforced at the org level, individual members cannot disable it.

  • Context Awareness enforcement: Enterprise admins can control Context Awareness from Organization settings → Data Controls. Two options are available: "Available" (default — users can toggle it themselves) and "Disable for all users" (forces Context Awareness off for everyone). When disabled organization-wide, the toggle in each user's Data & Privacy settings is turned off and locked, with a tooltip indicating the setting is managed by the organization. Context Awareness enterprise enforcement currently applies to the desktop app only.

Rate limiting and abuse prevention

Authentication endpoints are protected by tiered rate limiting to prevent abuse.

  • General authentication: 20 requests/minute.

  • Email signup: 10 requests/minute per IP, plus 3 attempts per hour per email address.

  • Password reset: 3 requests per 30 minutes per email/IP.

  • Verification email resend: 3 requests per 30 minutes per email/IP.

  • Spam detection: Applied to signup flows.

  • Redirect validation: OAuth redirect URLs are validated against an allowlist to prevent phishing attacks.

Access logging and monitoring

  • Authentication events: Token validation failures and expired sessions are logged.

  • Performance monitoring: Sentry is used for monitoring authentication flows.

  • SCIM-enabled organizations: Access reviews are managed through the identity provider.

Third-party access

  • Minimal permissions: Third-party service integrations use only the required permissions.

  • OAuth scopes: Microsoft is configured with explicit minimum scopes (email, openid, profile, User.Read, offline_access). Google and Apple rely on authentication provider (Supabase) default scopes.

  • Credential tiers: Standard operations use restricted API keys while administrative operations use dedicated service role keys.

  • Redirect protection: OAuth redirect URLs are validated against an allowlist to prevent unauthorized redirects.

FAQs

What sign-in methods does Wispr Flow support?

Flow supports Google, Apple, and Microsoft OAuth, enterprise SSO via your identity provider, and email/password authentication. On desktop apps, all options are accessed through the "Sign in via browser" button.

Can I use SSO with Wispr Flow?

Yes, enterprise SSO is available for Enterprise plan subscribers. When SSO is enabled, email/password and OAuth login are blocked for affected users — they are redirected to SSO instead.

What happens if my enterprise subscription lapses?

SSO enforcement is automatically disabled. Users need to use alternative sign-in methods until the subscription is renewed.

How does SCIM directory sync work?

SCIM enables automated user provisioning and deprovisioning through your identity provider. When active, all user additions and removals must be performed through the identity provider — manual management is blocked in the Flow interface.

What happens if my session expires while I'm using Flow?

Flow automatically detects expired sessions and attempts to refresh them. If you're a paid subscriber and temporarily see a free-tier prompt, the app re-checks your subscription status shortly after refreshing your session. No manual action is required.

Can my organization's admin disable Context Awareness for all users?

Yes, on the Enterprise plan, admins can go to Organization settings → Data Controls and set Context Awareness to "Disable for all users." This turns off and locks the toggle for every member.

Limitations and notes

  • Enterprise SSO and SCIM features require an Enterprise plan subscription.

  • Role-based access control is available on enterprise accounts only.

  • HIPAA BAA customers cannot disable Zero Data Retention once the agreement is signed.

  • Email addresses containing "+" are not supported for account registration.

  • Certain enterprise settings (zdrLocked, restrictDomainAccess, usageExportAllowed) can only be modified by Wispr administrators.

  • Context Awareness organizational enforcement is available on the Enterprise plan only and currently applies to the desktop app only.