Security you can verify
Skrybo is built to hold the credentials that unlock your organic search data safely. Google Search Console refresh tokens and vendor API keys are AES-256-GCM encrypted at rest with a master key you control, Better Auth handles sessions with scrypt + CSRF, and every product route enforces cross-account isolation with a 404 (not a 403) so nothing leaks.
How your data stays safe
AES-256-GCM secrets at rest
Google Search Console refresh tokens and vendor API keys are never stored in plaintext. They are encrypted at rest with an AES-256-GCM master key that you provide on self-host or that we hold in a KMS on the hosted plan.
Better Auth owns identity
Sessions, scrypt hashing, CSRF (Origin + trusted-origins), password reset, email verification, and Google OAuth are all handled by Better Auth mounted before the JSON body parser. No hand-rolled JWTs, no hand-rolled cookie parsing.
Cross-account isolation returns 404
Every product route checks ownership before responding. If a different account requests a resource you own, they see 404 — never 403 — so the existence of the resource never leaks.
Rate limits on the sensitive routes
The /api/auth/* handler and the payment webhook route sit behind rate limiters tuned to catch brute force and volumetric abuse before it reaches the app layer.
Vendor SDKs kept behind a provider registry
No vendor SDK or vendor URL is imported outside the shared providers directory. Swapping vendors is a config change, not a refactor, and vendor keys are gated by the registry.
Your data, no lock-in
Every audit report and rank-history dataset exports as CSV or JSON at any time. On the self-host tier the entire pipeline runs on your infrastructure — nothing transits a third party.