Security
Auth tokens and proxy credentials are encrypted at rest with AES-256-GCM. The encryption key is derived from a server environment variable.
What’s encrypted
The following data is encrypted at rest:
- X auth tokens — your session cookie used to access X.
- Proxy credentials — the proxy string including username and password.
Module settings, display names, and other non-sensitive data are stored in plaintext.
How it works
Sensitive values are encrypted using AES-256-GCM (authenticated encryption) before being written to storage. Each value gets its own random initialization vector, so encrypting the same token twice produces different ciphertexts.
Decryption happens at runtime only when a module needs the credential (e.g., to make an API call to X).
Key setup
The encryption key is derived from the X_TOKEN_ENC_KEY environment variable on the server. You can use any string as the key value.
If the environment variable is not set, encryption is disabled and credentials are stored in plaintext. A warning is logged once at startup.
Legacy data
If the system encounters plaintext credentials (from before encryption was enabled), they are read normally and automatically encrypted on the next save. No manual migration is needed.
Security scope
What this protects: Database dumps and casual disk access. Encrypted auth tokens are meaningless without the encryption key.
What this does NOT protect: An attacker with code-execution access to the server can read the environment variable and decrypt everything. This is the standard baseline for SaaS applications.