SEO WRITER
Start

How API Keys Are Stored Securely

📅 June 4, 20262 min read
Table of Contents

Encryption at Rest

All sensitive credentials are encrypted using Fernet symmetric encryption before being saved to the database. Fernet uses AES-128 in CBC mode with HMAC-SHA256 for authentication. This includes:

  • Gemini, OpenAI, OpenRouter API keys
  • WordPress Application Passwords
  • 1С-Bitrix, InSales, and Joomla credentials
  • SerpAPI and YouTube API keys (per-site)
  • Social media tokens (VK, OK, Pinterest)

How Fernet Encryption Works

  • Algorithm: AES-128 in CBC mode with a random initialization vector per value
  • Authentication: HMAC-SHA256 to detect tampering
  • The encryption key is stored as an environment variable on the server — completely separate from the database

If someone gained read access to the database, they could not decrypt your credentials without the server-side encryption key.

What AI SEO Writer Staff Can See

Staff cannot see your plain-text API keys. Credentials are decrypted only in memory during article generation and are never logged or stored in plain text.

Account Passwords

User passwords are hashed with bcrypt (12 rounds) — a one-way hash. We cannot recover your password; use "Forgot password" to reset it.

Session Tokens (JWT)

Sessions use signed JWT tokens (algorithm: HS256):

  • Access token — valid for 15 minutes
  • Refresh token — valid for 7 days
  • Agency impersonation token — valid for 8 hours (used when a manager logs in as a client)

If a Key Is Compromised

  1. Revoke the key at the provider (Google Cloud Console, OpenAI, etc.)
  2. Generate a new key at the provider
  3. Update it in AI SEO Writer — the old encrypted value is replaced immediately upon saving
Previous
How to Read Generation Logs
Next
Frequently Asked Questions

In this section

Article Stuck in Queue or ProcessingWordPress Connection ErrorsAPI Key Errors During GenerationArticle Limit Exceeded

Was this article helpful?