Insomnia logo
  • Documentation
  • Get Started for Free
    • Introduction to Insomnia
    • Install Insomnia
    • Send Your First Request
    • Import and Export Data
    • Environment Variables
    • Global Environments
    • Insomnia Accounts
    • Forgotten Passphrase
    • Managing E2EE (End-to-End Encryption)
    • Organizations
    • Enable Enterprise membership
    • Configuring EE SSO
    • Integrating Insomnia Enterprise with Okta SAML 2.0
    • Integrating Insomnia Enterprise with Okta OpenID Connect
    • Integrating Insomnia Enterprise with Microsoft Azure/Entra ID SAML 2.0
    • Insomnia Whitelisting Guide for Enterprise Users
    • Transfer enterprise organizations and license
    • Configuring SCIM
    • Multiple Owners
    • Manage Domains
    • Invite Controls
    • Storage Controls
    • Session Report
    • Insomnia Subscriptions
    • Insomnia Subscription Management
    • Scratch Pad Tutorial
    • Requests
    • Responses
    • Request Collections
    • Request Timeouts
    • Chaining Requests
    • Post CSV Data
    • SOAP Requests
    • gRPC
    • WebSocket Support
    • Get Started with Documents
    • Design Documents
    • Linting
    • GraphQL for OpenAPI
    • Migrate from Designer
    • Unit Testing
    • Stress Testing
    • Insomnia Storage Options Guide
    • Sync with Insomnia Cloud
    • Sync with Git
    • Key Security Features
    • Security Standards
    • Signup and Authentication
    • Analytics Collected
    • End to End Data Encryption
    • Software Bill of Materials
    • Verifying Build Provenance for Signed Insomnia Binaries
    • Authentication
    • Client Certificates
    • Collection Runner
    • Generate Code Snippet
    • Cookie Management
    • Encoding
    • GraphQL Queries
    • Run in Insomnia Button
    • Key Maps
    • Proxy
    • Folder-level settings
    • Introduction to Plugins
    • Context Object Reference
    • Template Tags
    • Hooks and Actions
    • Custom Themes
    • AI Runner
    • FAQ
    • Application Data
    • SSL Validation
    • Password Recovery
    • Introduction to Inso CLI
    • Install Inso CLI
    • CLI Command Reference
      • inso run test
      • inso run collection
      • inso lint spec
      • inso export spec
      • inso script
      • Using Custom Linting with Inso CLI
    • Configuration
    • Inso CLI on Docker
    • Software Bill of Materials
    • Verifying Signatures for Signed Inso CLI Images
    • Verifying Inso CLI Build Provenance
      • Verifying Build Provenance for Signed Inso CLI Images
      • Verifying Build Provenance for Signed Inso CLI Binaries
    • Continuous Integration
    • Insomnia Pre-request Script Overview
    • Insomnia After-Response Script Overview
    • Secret Environment Variables
    • External Vault Integration (Enterprise feature)
    • Insomnia API Mocking Overview
    • Enterprise Login Report

Signup and Authentication

Since the passphrase you choose at registration time is used during the encryption process (although indirectly), it’s vital that it’s never sent or stored on the server in an easily crackable form. To help with this goal, Insomnia uses the Secure Remote Passwords (SRP) encrypted key exchange protocol.

You can read more about the exact SRP implementation that Insomnia paid plans use in RFC-2945.

For a detailed description of SRP, see Mozilla’s Node SRP.

How Account Creation Works

These are the steps taken on the client during account creation.

  1. Randomly generate 256 bit keys and salts SYM_Account, SLT_Auth_1, SLT_Auth_2, SLT_Encryption
  2. Generate PUB_Account/PRV_Account keypair for RSA-OAEP SHA-256
  3. Generate SEC_PWD_Auth using the following steps
    1. Combine SLT_Auth1 with email address using HKDF SHA-256 to form a new salt SLT_TMP_1
    2. Run 100,000 iterations of PBKDF2 SHA-256 with SLT_TMP_1
  4. Generate SEC_PWD_Enc using the following steps
    1. Combine SLT_Enc with email address using HKDF SHA-256 to form a new salt SLT_TMP_2
    2. Run 100,000 iterations of PBKDF2 SHA-256 with SLT_TMP_2
  5. Generate SRP_Verifier using SLT_Auth_2, email address, SEC_PWD_Auth
  6. Encrypt SYM_Account using SEC_PWD
  7. Encrypt PRV_Account using SYM_Account
  8. Send M_Account object to server for creation

Once the account is created, the server will send a verification email to the user. Once the user receives this email, they can attempt to log in.

How Account Login Works

These are the steps taken on the client during login.

  1. Derive SEC_PWD_Auth using same steps as in Account Creation
  2. Use SLT_Auth_2 to perform SRP exchange
  3. Store SRP-generated K locally to use as session key

Now that we know how signup and authentication are performed, we can talk about data encryption.

Edit this page
Report an issue
    COMPANY
  • Insomnia
  • Blog
  • Changelog
  • Pricing
  • Careers
    PRODUCTS
  • Insomnia
  • Inso (CLI)
    RESOURCES
  • Sign In
  • Documentation
  • Support
    LEGAL
  • Privacy Policy
  • Terms & Conditions
© Kong Inc. 2021