Encrypted before it touches the database
Credals is built so that the plaintext of a secret never lands in storage. Here is exactly what that means, and where the boundaries are.
AES-256-GCM authenticated encryption
Every credential value (a password, an API key, an access token) is encrypted with AES-256-GCM before it is written to the database. AES-256 is a symmetric cipher with a 256-bit key, the standard used to protect classified and financial data. GCM (Galois/Counter Mode) adds authentication on top of encryption: each stored value carries an integrity tag, so any tampering with the ciphertext is detected on decryption rather than silently returning corrupted data.
A ciphertext-only database
The database stores ciphertext, not plaintext. If someone were to obtain a raw copy of the stored rows, they would see encrypted blobs, not your logins. Plaintext exists only transiently, in memory, at the moment you view or copy a specific credential.
The encryption boundary
The boundary is explicit and auditable: encryption is applied on the way in, decryption only when you request a specific value. There is no path where a plaintext credential is persisted to disk.
Authentication and sessions
Supabase Authmanages email-and-password authentication and your session lifecycle. Your account password is decoupled from the server-side encryption key, so the two concerns don't collapse into one point of failure.
Clipboard hygiene
Copied credentials auto-clear from the clipboard after 60 seconds. A secret you copied to paste into a form doesn't linger where the next app you open could read it.
Minimal trust surface
Credals relies on a deliberately small set of providers (Supabase for the database and auth, Vercel for hosting), so the trust boundary stays easy to reason about. Fewer moving parts means fewer places for data to leak.
Responsible disclosure
Found a security issue? We want to hear about it. Email hello@credals.comwith details and we'll respond promptly.