<!-- canonical: https://helperx.app/docs/security -->
<!-- updated: 2026-07-19 -->

# Security

Auth tokens and proxy credentials are encrypted at rest with AES-256-GCM. The encryption key is derived from a server environment variable.

## What’s encrypted

The following data is encrypted at rest:

- **X auth tokens** — your session cookie used to access X.
- **Proxy credentials** — the proxy string including username and password.

Module settings, display names, and other non-sensitive data are stored in plaintext.

## How it works

Sensitive values are encrypted using **AES-256-GCM** (authenticated encryption) before being written to storage. Each value gets its own random initialization vector, so encrypting the same token twice produces different ciphertexts.

Decryption happens at runtime only when a module needs the credential (e.g., to make an API call to X).

## Key setup

The encryption key is derived from the **X_TOKEN_ENC_KEY** environment variable on the server. You can use any string as the key value.

If the environment variable is not set, encryption is disabled and credentials are stored in plaintext. A warning is logged once at startup.

## Legacy data

If the system encounters plaintext credentials (from before encryption was enabled), they are read normally and automatically encrypted on the next save. No manual migration is needed.

## Security scope

**What this protects:** Database dumps and casual disk access. Encrypted auth tokens are meaningless without the encryption key.

**What this does NOT protect:** An attacker with code-execution access to the server can read the environment variable and decrypt everything. This is the standard baseline for SaaS applications.

Operator guide: [Token & Session Security for X Tools](https://helperx.app/blog/x-auth-token-security-automation). Never paste cookies or auth tokens into chat apps.
