Are WorkZerk's Tokenised Links Secure?

Security & Privacy
Written By Chris Jack

Short answer: yes. WorkZerk relies on tokenised URLs to give onboardees, visitors, and guests frictionless access without passwords or app downloads. A fair question we get is whether those tokens can be intercepted, especially on public Wi-Fi. Here's how it actually works.

HTTPS Encrypts the Whole URL

Every WorkZerk link is served over HTTPS. When your browser (Chrome, Edge, Safari, Firefox) connects to workzerk.com.au, it establishes an encrypted TLS tunnel before any part of the page request is sent. That means the full path and query string, including the token, is encrypted end to end between your device and our Microsoft Azure servers based in the Sydney region.

Nobody sitting on the same coffee shop Wi-Fi can read the token out of the URL. Not the cafe owner, not the person two tables over running Wireshark, not your hotel's network admin. The encrypted payload is unreadable without the private key held by our server.

What a Network Snoop Can See

For full transparency, here's the one small thing that isn't hidden: the domain name itself (workzerk.com.au) is visible to the network. This happens during the initial handshake via something called SNI (Server Name Indication), and through DNS lookups.

So a snoop on an unsecured network could tell that you visited WorkZerk. They cannot see:

  • The specific portal you accessed.

  • Your token (embedded in the URL).

  • Any form data you submitted.

  • Documents you uploaded.

  • Signatures you provided.

If hiding even the domain matters to you (for example, on a genuinely untrusted public network) a VPN is the standard fix. It wraps the entire connection, including the DNS lookups, inside another encrypted layer.

Tokens are Single-Purpose and Revocable

On top of HTTPS, WorkZerk tokens are tied to a specific portal and onboardee. They don't grant broad account access, and admins can revoke them at any time from the portal settings by generating a new token.

As a further security measure, files uploaded via the portal cannot be downloaded or viewed after uploading. So even if someone else discovered the onboardee portal link with embedded token, they would not be able to access any uploaded files.

The bottom line

Tokenised links on modern browsers are safe for the use cases WorkZerk is built for. The encryption happens automatically, every time, on every device. No configuration required from your onboardees.

Chris Jack https://www.chrisjack.com.au
Next

Live Runsheet: Per-Onboardee Instructions that Update in Real Time