Security

Collections are stored as local files on your filesystem. No cloud sync required — use Git to version and share. When sync is enabled, data is encrypted in transit with TLS and scoped to your workspace.

Authentication uses short-lived JWTs (15 min access, 7 day refresh) with single-session enforcement. OAuth via Google and GitHub — we never store your password in plaintext.

Webhook payloads on the server have configurable TTLs (24h free, 90d pro). SSH connections use Trust On First Use (TOFU) with fingerprint verification on subsequent connects.