Add Security page for enterprise security teams (#2068)

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: Catherine Deskur <[email protected]>
Co-authored-by: chdeskur <[email protected]>
Co-authored-by: Devin Logan <[email protected]>
Co-authored-by: Kenny Derek <[email protected]>

Author: 4 people

fern/products/docs/docs.yml

@@ -256,6 +256,11 @@ navigation:
         path: ./pages/api-references/autopopulate-api-key.mdx
       - page: SSO
         path: ./pages/authentication/sso.mdx
+  - section: Security
+    collapsed: true
+    contents:
+      - page: Overview
+        path: ./pages/security/overview.mdx
   -  section: Self-hosted
      collapsed: true
      contents:

fern/products/docs/pages/api-references/autopopulate-api-key.mdx

@@ -5,11 +5,15 @@ subtitle: Make integrating with your API frictionless by adding your login flow
 
 <Markdown src="/snippets/pro-plan.mdx"/>
 
-Fern can integrate with your authentication flow, allowing users to login and have their API key automatically populated with the click of a button. 
+Fern can integrate with your authentication flow, allowing users to login and have their API key automatically populated with the click of a button.
 
 <div style="position: relative; padding-bottom: 66.38846737481032%; height: 0;"><iframe src="https://www.loom.com/embed/790eb5849f1c4622aae09527908fdc7a?sid=d77062f8-35c3-41ab-8669-4c28b62e233b?hide_owner=true&hide_share=true&hide_title=true&hideEmbedTopBar=true" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen style="position: absolute; top: 0; left: 0; width: 100%; height: 100%;"></iframe></div>
 
-With this feature, you can **create new users of your API** directly from within your documentation. 
+With this feature, you can **create new users of your API** directly from within your documentation.
+
+<Note>
+User credentials are stored only in browser cookies and never transmitted to Fern's servers. Learn more in the [Security overview](/learn/docs/security/overview).
+</Note> 
 
 ## Integrating with your auth flow
 

fern/products/docs/pages/authentication/overview.mdx

@@ -3,14 +3,18 @@ title: Overview of authentication options
 description: Understand the different authentication options Fern offers
 ---
 
-Fern offers two methods of authentication, Single Sign-On (SSO) and Role-Based Access Control (RBAC). 
+Fern offers two methods of authentication, Single Sign-On (SSO) and Role-Based Access Control (RBAC).
 
 **For most situations, use RBAC** for granular access control over your documentation. RBAC works well for sites with multiple audiences (internal teams, partners, customers) and supports API key injection to autopopulate code examples.
 
 API key injection can be set up using either JWT or OAuth, depending on your existing authentication system.
 
 **SSO is simpler** but only provides basic login functionality - it doesn't support RBAC or API key injection. SSO works well for internal-only documentation where everyone should see the same content.
 
+<Note>
+Learn how Fern handles user credentials and authentication in the [Security overview](/learn/docs/security/overview).
+</Note>
+
 Learn more about Fern's authentication options:
 
 <CardGroup cols={3}>

fern/products/docs/pages/authentication/rbac.mdx

@@ -46,7 +46,7 @@ roles:
 
 ### Configure authentication via a `fern_token`
 
-Fern uses a browser cookie called `fern_token` to identify authenticated users and their roles. If this cookie isn't present when a user tries to access restricted content, Fern redirects them to your login page.
+Fern uses a [browser cookie](/learn/docs/security/overview) called `fern_token` to identify authenticated users and their roles. If this cookie isn't present when a user tries to access restricted content, Fern redirects them to your login page.
 
 You can set up this authentication using either JWT or OAuth:
 

fern/products/docs/pages/enterprise/self-hosted.mdx

@@ -5,7 +5,7 @@ description: Fern supports self-hosting so that you can run your docs site on yo
 
 <Markdown src="/snippets/enterprise-plan.mdx" />
 
-Fern documentation websites are hosted on Fern's infrastructure by default. Self-hosting allows you to deploy your documentation site on your own infrastructure to meet specific security or compliance requirements.
+Fern documentation websites are hosted on Fern's infrastructure by default. Self-hosting allows you to deploy your documentation site on your own infrastructure to meet specific [security](/learn/docs/security/overview) or compliance requirements.
 
 ## When to use self-hosting
 

fern/products/docs/pages/security/overview.mdx

@@ -0,0 +1,34 @@
+---
+title: Security
+description: Learn how Fern handles authentication and user credentials in documentation sites.
+---
+
+Fern's documentation platform is built with security as a core principle, using a client-side architecture for authentication and credential handling. User credentials and sensitive data are stored only in browser cookies and never transmitted to Fern's servers.
+
+<Note title="Security questions">
+    Contact [email protected] for security reviews, additional documentation, or specific compliance requirements.
+</Note>
+
+## Authentication and API key injection
+
+Fern supports [multiple authentication methods](/learn/docs/authentication/overview) to secure your documentation. All methods use a client-side `fern_token` cookie stored entirely in the browser:
+
+- [Role-Based Access Control (RBAC)](/learn/docs/authentication/rbac) controls which users can access specific documentation content based on their roles (stores user roles)
+- [API key injection](/learn/docs/authentication/api-key-injection) automatically populates code examples with user-specific API keys for a personalized experience (stores authentication tokens via JWT or OAuth)
+- [Single Sign-On (SSO)](/learn/docs/authentication/sso) integrates with your existing identity provider for seamless authentication (stores identity provider tokens)
+
+These cookies are managed entirely client-side and automatically cleared when the user logs out or the session expires. This approach ensures that sensitive credentials remain under your control and are never exposed to Fern's infrastructure.
+
+## Open-source transparency
+
+Fern's documentation frontend is [open-source](https://github.com/fern-api/fern-platform) with no hidden processes, allowing security teams to audit the code that handles user credentials and authentication.
+
+You can review:
+- How cookies are stored and accessed
+- How API keys are injected into code examples
+- How authentication tokens are handled
+- The complete client-side authentication flow
+
+## Self-hosted deployments
+
+For organizations that operate in air-gapped environments or need full control over documentation servers, Fern offers [self-hosted deployments](/learn/docs/enterprise/self-hosted).