How Keys Are Stored

App API Keys

SHA-256 hashed before storage. We cannot retrieve the raw key — that's why it's only shown once. If you lose it, rotate it from the dashboard.

Bank Account Numbers

Encrypted with AES-256-GCM. The encryption key is stored separately from the database. Even a full database compromise would not expose account numbers.

Developer Passwords

Hashed with bcrypt (cost factor 12). Never stored in plaintext.