Skip to main content
Your apps depend on sensitive credentials — API keys, database connection strings, OAuth tokens, and more. Vybe encrypts all of these at rest and provides a secure pipeline for injecting them into your app at deployment time, so secrets never appear in your code or version history.

Encryption at rest

All sensitive values are encrypted using AES-256-GCM before they are stored in the database. This is an additional encryption layer on top of the base database encryption provided by Neon.
Secret typeExamples
Custom API credentialsAPI keys, Bearer tokens, basic auth passwords
Database connection stringsPostgreSQL URLs, MySQL URLs, Redshift URLs
SSH private keysKeys used for tunneled database connections
OAuth tokensAccess and refresh tokens from connected integrations
Server secretsThe VYBE_SERVER_SECRET assigned to each app
Once a secret is saved, it is stored only in its encrypted form. The plaintext value is never persisted to disk or logged.

Encryption in transit

All connections between your browser, Vybe services, and your deployed apps are encrypted using TLS/HTTPS:
  • Dashboard and editor — All interactions with the Vybe platform
  • Deployed apps — All traffic to *.vybe.build URLs
  • API calls — Communication between your app and Vybe services
  • Integration connections — OAuth flows and API calls to third-party services
  • Database connections — Encrypted by default; SSH tunneling available for additional security
Cookies use HttpOnly, Secure, and SameSite attributes. Cross-subdomain communication is protected with security headers.

Database encryption

Internal databases

Every organization receives an isolated Neon PostgreSQL project with:
  • Encryption at rest — Neon encrypts all stored data at the infrastructure level
  • Automatic backups — 7-day retention with point-in-time restore to millisecond precision
  • Project isolation — Complete data separation between organizations
The DATABASE_URL connection string for your app’s internal database is generated, encrypted, and injected automatically. You never need to configure it manually.

External databases

When you connect an external database (PostgreSQL, MySQL, Redshift), the connection credentials are encrypted with AES-256-GCM before storage:
  • Connection URLs — The full connection string including host, port, database, username, and password
  • SSH private keys — Keys used for tunneled connections to databases behind firewalls
At runtime, the decrypted connection string is used to execute queries and is never exposed in your app’s code. All external database queries are routed through Vybe’s security middleware, which enforces:
  • Parameterized queries — Prevents SQL injection attacks
  • Request validation — Sanitizes and validates all query parameters
  • Read-only enforcement — Optional mode that prevents accidental writes to production databases

Masked after creation

After you save a secret — whether it is a Custom API credential, a database URL, or an SSH key — it is masked in the UI and cannot be viewed again. You will see a placeholder like •••••••• instead of the actual value. If you need to change a secret, you replace it entirely with a new value. There is no way to retrieve the original.
Never hardcode secrets in your app’s source code. Always use the environment variables that Vybe provides. Hardcoded secrets in code are visible in the version history and to anyone with edit access to the app.

Server secret

Every app is assigned a unique server secret called VYBE_SERVER_SECRET. This secret authenticates server-to-server requests between your deployed app and Vybe APIs. How it works:
  • Automatically generated when you create an app
  • Injected as an environment variable (VYBE_SERVER_SECRET) at deployment time
  • Used by your app’s backend code when making API calls to Vybe services
  • Unique per app — it cannot be used to access resources from other apps
You do not need to create, manage, or rotate the server secret manually. Vybe handles it for you.

When the server secret is used

Your app uses the server secret when it needs to:
  • Fetch data from connected integrations
  • Run saved data queries
  • Access Vybe platform APIs
The server secret is included automatically in requests made through Vybe’s built-in helper functions. If you are making custom API calls to Vybe services, include it as a header: 
// Example: custom API call to a Vybe service
const response = await fetch('https://api.vybe.build/v1/data-queries/run', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'x-vybe-server-secret': process.env.VYBE_SERVER_SECRET!,
    'x-vybe-user-token': request.headers.get('x-vybe-user-token')!,
  },
  body: JSON.stringify({ queryId: 'monthly-revenue' }),
});

Environment variable injection

Secrets are injected into your app’s runtime environment during deployment. They are never:
  • Written to files on disk
  • Committed to your app’s code or version history
  • Stored in build artifacts
  • Visible in the app preview logs
At deployment time, Vybe securely injects the following environment variables:
VariablePurpose
VYBE_SERVER_SECRETAuthenticates your app to Vybe APIs
DATABASE_URLConnection string for your app’s built-in PostgreSQL database
Integration-specific variablesCredentials for connected services, as needed
Your app accesses these through process.env like any standard Node.js environment variable: 
const dbUrl = process.env.DATABASE_URL;
const serverSecret = process.env.VYBE_SERVER_SECRET;

Integration credentials

OAuth tokens and API keys for connected services (like Slack, Salesforce, or HubSpot) are managed through Vybe’s integration platform with multiple layers of protection:
  • Encrypted storage — Tokens are encrypted with AES-256-GCM before being stored
  • No client-side exposure — Auth tokens are never sent to the browser or exposed in client-side code
  • Automatic token refresh — OAuth tokens are refreshed automatically before they expire, with no intervention required
  • Secure provider — Credentials are managed through a dedicated secure integration provider
  • No direct access — Your app accesses integration data through Vybe’s APIs, which handle authentication on your behalf

Custom API credentials

When you create a Custom API in the Integrations page, the credentials you provide are encrypted and stored securely:
1

Create the custom API

Navigate to Integrations > Custom APIs and click Create Custom API.
2

Enter credentials

Provide the API name, authentication type, and credentials (API key, token, etc.).
3

Save

Once saved, the credentials are encrypted immediately. They appear masked in the UI and cannot be retrieved.
4

Use in your apps

When the AI builds an app that uses this Custom API, the credentials are injected securely at runtime. You reference them through the integration system, not by copying the values into your code.

Best practices

Never hardcode API keys, database URLs, or tokens in your source code. Always reference them through process.env or the Vybe integration system.
When connecting external production databases, enable read-only mode to prevent accidental writes. This is especially important for databases shared across your organization.
If you suspect a credential has been compromised, replace it immediately from the Integrations page. The old value is discarded and the new value is encrypted and deployed on your next deploy.
Set Custom API credentials to “You only” visibility unless the entire team needs access. This limits the blast radius if a credential is misused.
For databases behind firewalls or containing particularly sensitive data, use SSH tunneling to add an extra layer of security beyond TLS encryption.

What’s next