Security

Security is foundational to API Stash. Here's how we protect your data and credentials — and how to report a vulnerability.

Encryption

Data is encrypted in transit over TLS, and secrets are encrypted at rest using per-workspace keys, so secrets in one workspace can't be read from another.

Tokens & codes

Sensitive tokens and one-time codes are stored only as hashes, never in plaintext — so even an exposure of the underlying store doesn't reveal usable secrets.

Access controls

Access is scoped: members can only reach the workspaces they belong to, and roles govern what each member can change (see members & roles).

Multi-factor authentication

MFA (TOTP) is available on accounts. Enable it from your account settings to require a time-based one-time code in addition to your password.

Rate limiting

Sensitive endpoints are rate limited to mitigate abuse and brute-force attempts.

Reporting a vulnerability

If you believe you've found a security issue, please email security@tryapistash.com. We appreciate responsible disclosure and will respond promptly.