QubrixMailQubrixMail
Dashboard →
Docs Navigation
Security

API Key Security

How QubrixMail protects your email provider API keys.

How We Store Your Key

Your API key is encrypted using AES-256-GCM encryption before it is written to our database. The encryption uses a unique initialization vector for every key, meaning even identical keys produce different encrypted values in storage.

What this means:

  • Your key is never stored in plain text — ever
  • Even if someone accessed our database directly, they would see only encrypted data
  • The decryption master key is stored separately from the database, in environment secrets

What We Show in the UI

After you save your API key:

  • The input field clears immediately
  • We show only the last 4 characters masked (e.g. ••••••••3f8a)
  • There is no "reveal key" option — use your provider's dashboard if you need the full key

When Your Key Is Used

Your key is decrypted in memory only at the moment an email needs to be sent — and only for that specific send operation. It is never:

Logged to files or monitoring systems
Included in API responses
Stored in browser storage or cookies
Shared with any third party

What To Do If You Suspect Compromise

1
Go to your email provider dashboard immediately
2
Revoke or regenerate the API key there
3
In QubrixMail → Settings → Email Provider → Change API Key → paste the new key
4
Send a test email to confirm the new key works
Since the old key is revoked at the provider level, no emails can be sent with it even if someone had intercepted it.

Multi-Tenant Isolation

Each company account has its own encrypted key stored separately. No user can access or use another company's API key. All database queries for API keys are scoped by company ID and validated server-side on every request.

Can't find what you need?

Visit our Help Centre or contact the support team — we respond within one business day.

Help CentreContact Support