Security & Trust

We cannot read your API keys.
Technically. Architecturally. By design.

API Lens uses a layered encryption model that makes it mathematically impossible for anyone — including the API Lens team — to read the credentials you store.

The Encryption Model

  • All stored credentials are encrypted with AES-256-GCM, a military-grade authenticated encryption algorithm.
  • Each key gets its own unique Data Encryption Key (DEK). Your keys never share the same encryption material.
  • Every DEK is wrapped by a Master Encryption Key stored as a write-only secret in our infrastructure.
  • Once set, this value cannot be retrieved by anyone — not via the dashboard, not via the API, not by host support.

How data flows

Your API Key

plaintext — never stored

Encrypted with DEK

per-key Data Encryption Key

DEK encrypted with Master Key

write-only — unreadable by anyone

Stored in Database

all ciphertext, zero plaintext

Only the final ciphertext blobs are persisted. No step writes plaintext to disk.

Additional Defence-in-Depth

AES-256-GCM Encryption

Every API key you store is encrypted at rest using AES-256-GCM — the same algorithm used by banks and governments.

Keys are encrypted before they ever touch the database. The plaintext value exists only momentarily in server memory during the encryption step, then is discarded.

Row-Level Security (RLS)

Database-enforced access policies ensure you can only ever read your own data — even at the query level.

Supabase Row Level Security policies are attached directly to every table. No application logic can bypass them; the database itself rejects unauthorised reads.

HTTPS / TLS in Transit

All communication between your browser and our servers is encrypted in transit via TLS 1.2+.

We enforce HTTPS on every endpoint and use HTTP Strict Transport Security (HSTS) headers to prevent downgrade attacks.

No Plaintext Keys Ever Stored or Logged

We never write an unencrypted API key to disk, to logs, or to any external service.

Server-side logging is scoped to request metadata only. API key values are stripped before any log statement is emitted. Third-party error trackers are configured to redact sensitive fields.

Audit Log of Key Operations

Every create, view, rotate, and delete operation on an API key is recorded in a tamper-evident audit log.

The log captures: the acting user, a timestamp, the action type, and the key identifier — never the key value itself. Logs are retained for 90 days.

Full Transparency

Sync is the only reason decryption ever happens. Your credential is decrypted in memory only to call your upstream provider, never for display or export.
Every decryption is logged. The dashboard shows a full, immutable history of every time your keys were used for syncs.