Security Best Practices
Last updated: April 18, 2026
Protecting your Wevion account and connected Meta assets is critical for media buyers handling significant ad budgets. This guide covers practical security measures to keep your account safe.
Prerequisites
- An active Wevion account
- Connected Meta accounts
How It Works
Security in Wevion operates at multiple layers:
- Authentication — Logto-based SSO with support for strong passwords and 2FA
- Authorization — Role-based access control (RBAC) isolates data between team members
- API security — JWT tokens with automatic expiration, rate limiting on all endpoints
- Data isolation — Every query is filtered by
session_id, preventing cross-user data access - Transport security — All connections use HTTPS/TLS encryption
Step-by-Step Guide
Account Security Checklist
Use this checklist to ensure your account is properly secured:
Authentication:
- Use a strong, unique password (minimum 8 characters, mix of letters, numbers, symbols)
- Enable Two-Factor Authentication (see Two-Factor Authentication (2FA))
- Save 2FA backup codes in a secure location
- Never share your login credentials with anyone
Meta Connection:
- Use system user tokens for production ad accounts (they don't expire like user tokens)
- Grant only the permissions Wevion requests — don't manually add extra scopes
- Reconnect tokens promptly when expiration notifications arrive
- Regularly review connected apps in Facebook Settings > Apps and Websites
Team Management:
- Invite team members with appropriate roles (don't give owner access unnecessarily)
- Deactivate team members promptly when they leave your organization
- Review team member access periodically
Browser and Device:
- Use an up-to-date browser (Chrome, Firefox, Edge, Safari)
- Don't use public or shared computers for Wevion access
- Log out when finished, especially on shared devices
- Clear browser data if you suspect your session was compromised
Responding to a Suspected Security Breach
If you suspect unauthorized access to your account:
Change your password immediately
- Navigate to Profile > Change Password
- This invalidates all existing sessions
Check your Meta token status
- Go to Meta Users and verify all tokens are expected
- Deactivate any tokens you don't recognize
Review recent activity
- Check your notifications for unusual events
- Review campaign changes in Ads Manager
- Look for unexpected team members
Secure your Meta account
- Change your Facebook password
- Review Facebook's Security and Login page for unrecognized devices
- Enable 2FA on Facebook if not already active
Contact support
- Email support@wevion.ai describing the suspected breach
- The team can help investigate and secure your account
Securing Your Meta Business Manager
Since Wevion connects to your Meta accounts, securing Business Manager is equally important:
- Enable 2FA on all Business Manager admins
- Use system users instead of personal accounts for API access
- Review who has admin access to your Business Manager regularly
- Set spending limits on ad accounts as a safeguard
- Monitor the Account Quality page (facebook.com/accountquality) for violations
- Keep business verification current to avoid account restrictions
Options and Configuration
| Security Feature | Location | Status |
|---|---|---|
| Password change | Profile > Change Password | Available |
| 2FA | Profile > Security (via Logto) | Available |
| Session invalidation | Automatic on password change | Built-in |
| Rate limiting | All API endpoints | Built-in |
| Data isolation | All queries | Built-in |
| Token monitoring | Meta Users page | Available |
| Team access review | Teams page | Owner only |
Common Security Mistakes
| Mistake | Why It's Dangerous | Fix |
|---|---|---|
| Using the same password for Wevion and Facebook | If one is breached, both are compromised | Use unique passwords for every service |
| Sharing credentials with team members | No accountability, no way to revoke individual access | Use Wevion's team invite system instead |
| Ignoring token expiry notifications | Expired tokens can't sync data; forced reconnection may expose the account to phishing | Reconnect tokens promptly |
| Not deactivating former team members | Ex-employees may retain access to campaigns and ad spend | Deactivate immediately upon departure |
| Using personal Meta accounts for business | Password changes or 2FA issues on a personal account affect business operations | Use system users for production accounts |
FAQ
Does Wevion store my Facebook password? No. Wevion uses OAuth to obtain an access token from Meta. Your Facebook credentials are never shared with or stored by Wevion.
Can Wevion employees see my campaigns or ad data? Wevion staff with Super Admin access can view platform data for support and troubleshooting purposes. All access is logged.
Is my billing information secure? Yes. Payment processing is handled entirely by Stripe. Wevion never stores credit card numbers or sensitive payment details.
What happens if Wevion itself is breached? Wevion uses industry-standard security practices including encrypted storage, network isolation, and regular security audits. In the unlikely event of a breach, affected users would be notified according to applicable data protection regulations.
How do I report a security vulnerability? Email support@wevion.ai with the subject "Security Issue." These reports are treated with the highest priority and confidentiality.