Security

Fern’s documentation platform is built with security as a core principle, using a client-side architecture for authentication and credential handling. User credentials and sensitive data are stored only in browser cookies and never transmitted to Fern’s servers.

Authentication and API key injection

Fern supports multiple authentication methods to secure your documentation. All methods use a client-side fern_token cookie stored entirely in the browser:

• Role-Based Access Control (RBAC) controls which users can access specific documentation content based on their roles (stores user roles)
• API key injection automatically populates code examples with user-specific API keys for a personalized experience (stores authentication tokens via JWT or OAuth)
• Single Sign-On (SSO) integrates with your existing identity provider for seamless authentication (stores identity provider tokens)

These cookies are managed entirely client-side and automatically cleared when the user logs out or the session expires. This approach ensures that sensitive credentials remain under your control and are never exposed to Fern’s infrastructure.

Open-source transparency

Fern’s documentation frontend is open-source with no hidden processes, allowing security teams to audit the code that handles user credentials and authentication.

You can review:

• How cookies are stored and accessed
• How API keys are injected into code examples
• How authentication tokens are handled
• The complete client-side authentication flow

Self-hosted deployments

For organizations that operate in air-gapped environments or need full control over documentation servers, Fern offers self-hosted deployments.