Koen Rouwhorst

Framer's biggest launch in years is happening June 16 We're hosting watch parties in 12 cities around the world so builders can experience it together IRL Austin • LA • NYC • SF • Seattle • Vancouver • Toronto • Amsterdam • Barcelona • Berlin • London • Warsaw Want in? DM me

The nice thing is that other tools on your machine can use the same authentication instead of each needing their own personal access token. In scripts, you can use 'gh auth token' to retrieve the access token. Scopes can be expanded using 'gh auth refresh -s ', so you only add broader access when your tools actually need it. You can take this a step further with the gh Go module (github.com/cli/go-gh) that lets you tap into that same authentication programmatically from your own tooling. We did this for our internal developer tools that need GitHub access, so there is no need for engineers to manually generate, configure, or manage separate GitHub personal access tokens.

As an engineer at @framer, one of the things I keep pushing for is reducing the number of credentials that engineers have to manage themselves. GitHub personal access tokens are a good example. They are often scoped too broadly, stored in plaintext in dotfiles, and duplicated in multiple places. GitHub's gh CLI solves most of this. Instead of manually generating a token and pasting it somewhere, you just run 'gh auth login' to authenticate via a browser-based OAuth flow. No token touches your clipboard or shell history. It creates an access token with sane default scopes, stored securely in your OS keychain rather than a plaintext file on disk.

For your business-critical domains, move to a well-established registrar that supports registry locks (CSC, MarkMonitor, Cloudflare). Configure multi-party authorization for unlocking, so no single individual can approve changes. Use role-based contacts, not personal emails. Enforce phishing-resistant MFA. And set auto-renewal with a multi-year buffer. These controls have been around for many years. They are just underused.

You can easily check this for your own domains. Do a whois lookup and check the domain status fields. Statuses starting with "client" (e.g. clientTransferProhibited) are set by the registrar and can be removed by the registrar. Statuses starting with "server" (serverDeleteProhibited, serverTransferProhibited, serverUpdateProhibited) are set by the registry and can only be removed through the out-of-band process described above.

Domain registrars may be one of the most overlooked single points of failure in our stack. We spend serious time and resources securing our cloud infrastructure and workloads, but our domain registrars rarely get the same level of scrutiny. Even though our domains underpin everything we operate. 🧵

We're looking for a new batch of beta testers for Framer with Claude / Codex. If we missed you the first time, feel free to enter again. x.com/koenbok/status…

Shipping a pallet from across the planet into Amazon's network: $2,400. Moving it to a FedEx warehouse across the street: $132,000 in egress fees.

What if Y Combinator built GitHub?

@julian_kalume @framer This is a good starting point: knowledge.workspace.google.com/admin/security…. You need to get a Verified Mark Certificate (VMC).

@koenrh @framer How to get this as company please ?

All @framer emails now show a verified logo and blue checkmark in supporting inboxes like Gmail. Here is what is behind that little checkmark. 🧵

@monmichalczyk @framer 🥳

Celebrating 7 years at @framer!

All @framer emails now show the verified logo across Gmail, Apple Mail, Fastmail, and Yahoo. This is first and foremost a nice trust signal for our users. When an email claims to come from Framer, the verified logo lets them know at a glance that it actually does.

The standard method for organization validation is a phone call to a publicly listed phone number. Framer is a remote-first company. We are incorporated in the Netherlands and have an office there, but no fixed phone line. So we asked legal to draft a legal opinion letter to establish a non-listed number for verification. That got rejected because our counsel was not registered with the local bar association in the required jurisdiction. 🙃 The certificate authority eventually fell back to sending a physical postal letter with a verification code to our physical address listed on Dun & Bradstreet. Yes, we used snail mail to verify our identity for email!

This setup is not about being unreachable. It is about being available for the right people and the right work, at the right time, with a brain that is fully present. Quiet by default, across every channel. Distractions stay out. Exceptions have to earn their way in. What is left is focus time, and the space to build and ship.

Phone Same pattern as calendar and email. Default off, exceptions earn their way in. Focus mode is always on. Only contacts marked as favorite get through: family, friends, close colleagues, leadership. App notifications are mostly off. PagerDuty is the only exception, for real (security) incidents. Everyone else can wait.

We are a company of makers and doers. A small team building and running a serious product, with real traction and big ambitions. We have high standards, little hierarchy, and lots of autonomy. Every engineer is expected to make an impact, and none of that works without protected focus time. That means ruthlessly cutting distractions. Here is how I do that as a security engineer at @framer, across email, calendar, Slack, and phone.