How secure is the client portal?
How portal links work, why they are safe, and the options when a client wants a lock on the door.
Send this article to any client who asks. The short version: portal links are private by construction, you can revoke them instantly, and a sign-in requirement is one switch away.
How the link works#
Every portal link contains a long random token, around 10^37 possibilities. Nobody can guess it, scan for it, or stumble into it; the only way in is to have been sent the link. This is the same model DocuSign envelopes, Stripe invoices, and most client portals use, because for the person receiving it, a link is both easier and safer than one more password they will reuse or forget.
On top of that, portal pages are rate limited (an address that hammers the site gets cut off), links can be regenerated from the client's page at any time (the old link dies everywhere, instantly), and everything is served over HTTPS.
The optional sign-in#
Any client can add a login to their portal: on their hub there is a box that says "Come back anytime, without this link." They enter the email you have on file, click the link they receive, and from then on they can sign in at raoura.com without hunting for an old email. No password, ever: the sign-in link IS the authentication, and it only ever goes to the email on file.
Require sign-in (the lock)#
If a client wants a real lock on the door, open their page, find the Client portal card, and turn on Require sign-in to view the portal. From then on the portal link alone shows only a verify screen; the client confirms their email once per browser and then sees everything as usual.
Individual document links (a proposal to accept, an invoice to pay, a contract to sign) still open directly, because those arrive by email anyway; locking them would only break signing and paying, which is why e-signature products make the same choice.
What to tell a worried client#
- The link is unique to you and unguessable; treat it like a key and do not post it publicly.
- If you ever think it leaked, I can issue a fresh link in one click; the old one stops working immediately.
- You can set up a sign-in for yourself, and I can make it required.
Related
Ready to try it yourself?
Raoura is one flat plan at $17/month, with a 14-day free trial and no credit card required.
Start free trial