Skip to content
DocuBot documentation

Security basics guide

DocuBot uses a secure identity and data access model to protect your source code while providing high-performance, public-facing documentation. As an administrator, understanding how DocuBot handles authentication and visibility helps you maintain a secure documentation environment.

Security model overview

DocuBot operates on a delegated security model. It does not manage independent usernames or passwords. Instead, it relies on Google for dashboard access and GitHub for repository content authorization. The final documentation is published as static HTML, which minimizes the attack surface by removing runtime processing from the public-facing help center.

Authentication and access control

You access the DocuBot management dashboard exclusively through Google Sign-In. This ensures that your account is protected by Google’s identity verification and security protocols.

Access to documentation projects is owner-based. Only the account that creates a documentation project can modify its settings, manage its repository sources, or trigger manual synchronizations.

Repository source security

DocuBot requires read access to your repositories to analyze code and generate content. The security requirements depend on the visibility of your source code:

  • Public repositories: DocuBot accesses public code without requiring additional authorization.
  • Private repositories: You must authorize DocuBot via GitHub OAuth to access private content. DocuBot stores these integration tokens securely to facilitate automated sync jobs.

You can review or disconnect your GitHub integration at any time through the workspace settings.

Documentation privacy and visibility

Documentation generated by DocuBot is static and public-facing by default. When you define a URL slug for your project, it creates a live route at docubot.cc/[your-slug].

Because these pages are optimized for search engines and public support, you should ensure that the information selected for publication is intended for an external audience. DocuBot does not currently support private or password-protected documentation sites.

To maintain a secure workspace, follow these administrative best practices:

  • Use ignore patterns: Configure the Ignore patterns setting to exclude sensitive directories, third-party libraries, or internal configuration files from the documentation analysis.
  • Verify public slugs: Carefully choose your URL slug before publishing, as this becomes a permanent part of your public identity.
  • Audit connected accounts: Periodically review the GitHub accounts connected to your workspace to ensure only necessary permissions are active.
  • Review audience presets: Ensure the selected document types align with the intended audience (e.g., avoid publishing “Internal Configuration” guides for “End Users”).

Reporting security concerns

If you identify a security vulnerability or have specific questions regarding data handling, contact the support team immediately.