Skip to main content

Encrypted at rest

Credential data (OAuth tokens, API keys, custom client secrets) is encrypted at the application level with Fernet authenticated symmetric encryption before it is written to the database. The encryption key lives in a deployment secret outside the database, so database access alone is not enough to read a credential.

Encrypted in transit

The app, the API, and the real-time connection all run over HTTPS and secure WebSockets.

Tokens refresh automatically

For OAuth services, NoClick refreshes expired access tokens on its own, both when a workflow runs and when a credential is loaded for things like dropdown options. You don’t have to reconnect on a schedule; reconnecting is only needed if the provider revokes access. See Credential problems.

Who can see credential values

  • Values are decrypted server-side; collaborators on a shared workflow see only the credential’s name and owner, never the secret. See Credentials and other people.
  • The UI never displays a stored secret back to you. Editing a credential means re-entering the values.
  • Only the owner, and accounts the credential was explicitly shared with, can access it at all.

You stay in control

Delete a credential at any time from Settings → Credentials or from a node’s credential picker. For OAuth connections you can also revoke NoClick’s access from the provider’s own security settings, which immediately invalidates the stored tokens.