Twenty is a modern open-source CRM with API-first patterns and active development. Hardening should focus on workspace permission design, token controls, and secure deployment defaults.
¶ 1) Protect workspace roles and identity boundaries
- restrict owner/admin roles to small trusted groups
- enforce least privilege for member roles and API users
- remove stale workspace invites and inactive accounts quickly
¶ 2) Secure API tokens and automation credentials
- issue dedicated tokens for integrations rather than shared admin keys
- rotate tokens regularly and after personnel changes
- limit webhook consumers and verify signatures/secrets on callback paths
¶ 3) Harden infrastructure and app configuration
- protect environment secrets and database credentials in secret manager
- enforce HTTPS and proxy-level protections (rate limits, request caps)
- pin image/runtime versions and patch dependencies on a scheduled cadence
- Twenty website: https://twenty.com
- Twenty documentation: https://docs.twenty.com/
- Twenty source code: https://github.com/twentyhq/twenty
- Twenty community: Discord, Twitter, LinkedIn
Any questions?
Feel free to contact us. Find all contact information on our contact page.