Your API keys and financial data are sensitive. Here is exactly what we do to keep them safe.
Every API key you connect is encrypted before it is written to the database. We use AES-256-GCM — the same algorithm used by banks and governments. The raw key is never stored anywhere in plaintext.
The master encryption key is never used directly. We derive two separate subkeys viaHMAC-SHA256 — one for encryption, one for authentication. This prevents cross-context key reuse attacks and means compromising one subkey does not expose the master key.
Every encrypted value includes an outer HMAC-SHA256 over the entire payload (IV + auth tag + ciphertext). Before decrypting anything, we verify this MAC using constant-time comparison to prevent timing attacks. If a single byte has been modified, decryption is refused.
AES-256-GCM is an authenticated cipher — it produces a 128-bit auth tag that detects any tampering at the cipher level too. This is a second layer of integrity checking on top of the HMAC.
Once a key is saved, it is never returned to the frontend. The API endpoint that lists your connections returns only metadata (type, label, sync date) — never the key itself, not even the encrypted form. We only decrypt a key server-side, in memory, at the moment we need to call Stripe.
All connections between your browser and PayLens use HTTPS / TLS 1.3. Your key is encrypted in your browser and travels over an encrypted channel — it is never sent in plaintext over the network.
Every database query that touches your connections is scoped to your user ID from the server session. There is no way to access another user's connections by guessing an ID — the server always verifies ownership before touching any record.
Questions? Contact us at paylens.admin@gmail.com