Security

How StackBE protects your data and best practices for secure integration.

Security Overview

  • HTTPS Only — All API communication is encrypted with TLS 1.2+
  • Data Encryption — Sensitive data encrypted at rest using AES-256
  • Stripe Connect — Payment credentials never touch StackBE servers
  • Scoped API Keys — Keys are isolated per app with limited permissions

API Key Best Practices

API keys provide full access to your app's data. Treat them like passwords.

Do

  • Store API keys in environment variables, never in code
  • Use separate keys for development and production
  • Rotate keys periodically (create new key, update apps, delete old)
  • Delete unused keys immediately

Don't

  • Never commit API keys to git repositories
  • Never expose keys in client-side JavaScript
  • Never share keys in support tickets or chat
  • Never log API keys in application logs
typescript
// Good: Load from environment
const stackbe = new StackBE({
  apiKey: process.env.STACKBE_API_KEY!, // Never hardcode
  appId: process.env.STACKBE_APP_ID!,
});

// Add .env to .gitignore
// STACKBE_API_KEY=sk_live_...
// STACKBE_APP_ID=app_...

Stripe Connect Security

StackBE uses Stripe Connect for payment processing. This means:

  • Your Stripe account, your money — Payments go directly to your connected Stripe account
  • No card data on StackBE — Credit card details are handled entirely by Stripe
  • Revocable access — Disconnect StackBE from your Stripe dashboard anytime
  • PCI compliant — Stripe handles PCI DSS compliance

Session Security

Customer sessions use JWT tokens with security best practices:

  • Short-lived tokens — Sessions expire after 7 days by default
  • Magic link expiry — Login links expire after 15 minutes
  • Signed tokens — JWTs are cryptographically signed

Store session tokens securely in httpOnly cookies:

typescript
// After verifying magic link token
const result = await stackbe.auth.verifyToken(token);

// Store in secure, httpOnly cookie
cookies.set('session', result.sessionToken, {
  httpOnly: true,    // Prevents XSS access
  secure: true,      // HTTPS only
  sameSite: 'lax',   // CSRF protection
  maxAge: 60 * 60 * 24 * 7,
});

Infrastructure Security

  • Hosted on Render — SOC 2 Type II compliant infrastructure
  • Database encryption — PostgreSQL with encryption at rest
  • Automated backups — Daily database backups with point-in-time recovery
  • DDoS protection — Built-in protection at infrastructure level

Reporting Security Issues

If you discover a security vulnerability, please email security@stackbe.io. We take all reports seriously and will respond within 24 hours.