Security

Security you can verify

Skrybo is built to hold the credentials that unlock your organic search data safely. Google Search Console refresh tokens and vendor API keys are AES-256-GCM encrypted at rest with a master key you control, Better Auth handles sessions with scrypt + CSRF, and every product route enforces cross-account isolation with a 404 (not a 403) so nothing leaks.

How your data stays safe

AES-256-GCM secrets at rest

Google Search Console refresh tokens and vendor API keys are never stored in plaintext. They are encrypted at rest with an AES-256-GCM master key that you provide on self-host or that we hold in a KMS on the hosted plan.

Better Auth owns identity

Sessions, scrypt hashing, CSRF (Origin + trusted-origins), password reset, email verification, and Google OAuth are all handled by Better Auth mounted before the JSON body parser. No hand-rolled JWTs, no hand-rolled cookie parsing.

Cross-account isolation returns 404

Every product route checks ownership before responding. If a different account requests a resource you own, they see 404 — never 403 — so the existence of the resource never leaks.

Rate limits on the sensitive routes

The /api/auth/* handler and the payment webhook route sit behind rate limiters tuned to catch brute force and volumetric abuse before it reaches the app layer.

Vendor SDKs kept behind a provider registry

No vendor SDK or vendor URL is imported outside the shared providers directory. Swapping vendors is a config change, not a refactor, and vendor keys are gated by the registry.

Your data, no lock-in

Every audit report and rank-history dataset exports as CSV or JSON at any time. On the self-host tier the entire pipeline runs on your infrastructure — nothing transits a third party.

Frequently asked questions