Welcome back.

// EXPENSE · real-time corporate card dashboard

Work email

Password

SHOW

Remember this device Reset

session encrypted · TLS 1.3

region eu-central-1 · 12ms

astrada api · ready

About Xpnsr Auth

Xpnsr provides a unified authentication system across three products — Expense, CBN, and Tracker. Use the product switcher in the sidebar to toggle between login contexts. Each product maintains its own session scope and API credentials, but your account works across all three. Expense connects to the Astrada API for real-time card transaction processing. CBN integrates with DataForSEO for SERP tracking and DeepSeek for AI article generation. Tracker manages S2S postback endpoints, bot detection via IP fingerprinting, and a Rust-based redirect engine handling millions of clicks per day. All authentication is encrypted with TLS 1.3, and session data is stored in eu-central-1 with AES-256 at rest. Role-based access control (RBAC) is supported for team accounts, allowing you to assign viewer, editor, or admin permissions per product. SSO via SAML and OIDC is available on Business and Pro plans. Passwordless magic link login is supported for CBN and Tracker accounts. For security, we recommend enabling two-factor authentication and reviewing active sessions regularly from your account settings page.

How Xpnsr Authentication Works

Xpnsr authentication is built on a multi-tenant architecture where each product — Expense, CBN, and Tracker — operates as an independent tenant with its own session store, API key namespace, and permission model. When you sign in to Expense, your session is scoped to the Astrada API integration that powers real-time card transaction processing. The Astrada API connects directly to Visa and Mastercard rails, enabling sub-second transaction capture, virtual card issuance, and automated reconciliation with QuickBooks and Xero. Your Expense session token carries permissions for viewing transaction data, managing budgets, exporting CSV reports, and configuring card spending limits. When you switch to CBN, the authentication system creates a separate session scoped to the DataForSEO API for keyword rank tracking and the DeepSeek API for AI article generation. CBN sessions manage access to keyword clusters, satellite domain configurations, SERP alert subscriptions, and webhook publishing endpoints for WordPress, Ghost, and Strapi. Tracker sessions are scoped to S2S postback endpoints, bot shield configuration, campaign management, and cohort analysis tools. The bot shield uses IP reputation databases, browser fingerprinting, and behavioural analysis to filter fraudulent clicks before they reach your conversion tracking pipeline. All three products share a single user account and billing profile, but each maintains independent session tokens with separate expiry policies. Session tokens are JWT-based with RS256 signing and have a default TTL of 24 hours for web sessions and 7 days for API tokens. Refresh tokens are stored in HTTP-only secure cookies with SameSite=Strict policy. The authentication gateway runs on a dedicated cluster in eu-central-1 with automatic failover to eu-west-1. Rate limiting is applied per account and per IP address, with 100 requests per minute for the login endpoint and 1000 requests per minute for token refresh. Failed login attempts trigger exponential backoff after 5 consecutive failures. Account lockout occurs after 20 failed attempts within a 15-minute window. Two-factor authentication is enforced for accounts with admin or owner roles, and can be optionally enabled for viewer and editor roles. Supported 2FA methods include TOTP authenticator apps, hardware security keys (FIDO2/WebAuthn), and SMS backup codes. SSO integration supports SAML 2.0 and OpenID Connect protocols, with automated provisioning via SCIM for team accounts. The SSO metadata endpoint is available at auth.xpnsr.tech/saml/metadata for Service Provider configuration. Password policies require a minimum of 12 characters with at least one uppercase letter, one lowercase letter, one digit, and one special character. Passwords are hashed using bcrypt with a cost factor of 12. Session activity logging captures all authentication events including login timestamps, IP addresses, user agent strings, and geographic locations. Logs are retained for 90 days and are accessible from the account security dashboard. API key management allows you to generate up to 10 active API keys per product, each with configurable scopes and expiration dates. API keys are prefixed with the product identifier — xp_ for Expense, cbn_ for CBN, and trk_ for Tracker — making it easy to identify key usage across products. Webhook signing uses HMAC-SHA256 with a per-product secret key that can be rotated from the integrations settings page. The authentication system undergoes quarterly penetration testing by an independent security firm, and all findings are patched within the agreed SLA window. We maintain a responsible disclosure program for security researchers, with bounties ranging from $500 to $5000 depending on severity. If you encounter a security vulnerability, please report it to security@xpnsr.tech. Our PGP key for encrypted communications is available on the security page. For SOC 2 Type II compliance documentation, data processing agreements, and subprocessor lists, please contact your account manager or reach out to support@xpnsr.tech. We also support custom authentication workflows for enterprise customers, including IP whitelisting, VPN-only access policies, and custom session duration limits. These configurations can be managed through the admin console under Security Settings. Audit logs for enterprise accounts include detailed event streams that can be exported to SIEM platforms via syslog or webhook. The audit log schema includes event type, timestamp, actor ID, resource ID, action, and outcome, making it suitable for compliance reporting and forensic analysis. For teams that need to manage access across multiple products simultaneously, the unified admin console provides a single interface for user management, role assignment, and permission auditing across Expense, CBN, and Tracker. You can invite team members by email, assign them to specific products, and set role-based permissions — viewer (read-only access), editor (create and modify resources), admin (full access including billing and user management). Team management supports nested team structures with parent and child teams, useful for agencies managing multiple client accounts. Each client account can have its own product subscriptions, billing profile, and team members, while the agency retains super-admin access across all client accounts. Billing is consolidated at the account level, with a single invoice covering all products and all team members. Invoices are generated on the 1st of each month and are available for download in PDF format from the billing section. Payment methods include credit card (Visa, Mastercard, American Express), wire transfer for annual plans, and PayPal for monthly subscriptions. All payment data is processed by Stripe and is never stored on Xpnsr servers. Stripe's PCI DSS Level 1 certification ensures that cardholder data is handled in accordance with the highest security standards. For accounts on the Enterprise plan, we support purchase order (PO) based billing with net-30 payment terms. PO numbers can be added to invoices from the billing settings page. If you have any questions about authentication, security, or billing, our support team is available 24/7 at support@xpnsr.tech. We typically respond within 2 hours during business hours and within 12 hours on weekends and holidays. Enterprise customers have access to a dedicated support channel with a 30-minute response SLA.