Skip to main content
Your apps depend on sensitive credentials — API keys, database connection strings, OAuth tokens, and more. Vybe encrypts all of these at rest and provides a secure pipeline for injecting them into your app at deployment time, so secrets never appear in your code or version history.

Encryption at rest

All sensitive values are encrypted using AES-256-GCM before they are stored in the database. This is an additional encryption layer on top of the base database encryption provided by Neon.
Secret typeExamples
Custom API credentialsAPI keys, Bearer tokens, basic auth passwords
Database connection stringsPostgreSQL URLs, MySQL URLs, Redshift URLs
SSH private keysKeys used for tunneled database connections
OAuth tokensAccess and refresh tokens from connected integrations
Once a secret is saved, it is stored only in its encrypted form. The plaintext value is never persisted to disk or logged.

Encryption in transit

All connections between your browser, Vybe services, and your deployed apps are encrypted using TLS/HTTPS:
  • Dashboard and editor — All interactions with the Vybe platform
  • Deployed apps — All traffic to *.vybe.build URLs
  • API calls — Communication between your app and Vybe services
  • Integration connections — OAuth flows and API calls to third-party services
  • Database connections — Encrypted by default; SSH tunneling available for additional security
Cookies use HttpOnly, Secure, and SameSite attributes. Cross-subdomain communication is protected with security headers.

Database encryption

Internal databases

Every organization receives an isolated Neon PostgreSQL project with:
  • Encryption at rest — Neon encrypts all stored data at the infrastructure level
  • Automatic backups — 7-day retention with point-in-time restore to millisecond precision
  • Project isolation — Complete data separation between organizations
The DATABASE_URL connection string for your app’s internal database is generated, encrypted, and injected automatically. You never need to configure it manually.

External databases

When you connect an external database (PostgreSQL, MySQL, Redshift), the connection credentials are encrypted with AES-256-GCM before storage:
  • Connection URLs — The full connection string including host, port, database, username, and password
  • SSH private keys — Keys used for tunneled connections to databases behind firewalls
At runtime, the decrypted connection string is used to execute queries and is never exposed in your app’s code. All external database queries are routed through Vybe’s security middleware, which enforces:
  • Parameterized queries — Prevents SQL injection attacks
  • Request validation — Sanitizes and validates all query parameters
  • Read-only enforcement — Optional mode that prevents accidental writes to production databases

Masked after creation

After you save a secret — whether it is a Custom API credential, a database URL, or an SSH key — it is masked in the UI and cannot be viewed again. You will see a placeholder like •••••••• instead of the actual value. If you need to change a secret, you replace it entirely with a new value. There is no way to retrieve the original.
Never hardcode secrets in your app’s source code. Hardcoded secrets in code are visible in the version history and to anyone with edit access to the app.

Integration credentials

OAuth tokens and API keys for connected services (like Slack, Salesforce, or HubSpot) are managed through Vybe’s integration platform with multiple layers of protection:
  • Encrypted storage — Tokens are encrypted with AES-256-GCM before being stored
  • No client-side exposure — Auth tokens are never sent to the browser or exposed in client-side code
  • Automatic token refresh — OAuth tokens are refreshed automatically before they expire, with no intervention required
  • Secure provider — Credentials are managed through a dedicated secure integration provider
  • No direct access — Your app accesses integration data through Vybe’s APIs, which handle authentication on your behalf

Custom API credentials

When you create a Custom API in the Integrations page, the credentials you provide are encrypted and stored securely:
1

Create the custom API

Navigate to Integrations > Custom APIs and click Create Custom API.
2

Enter credentials

Provide the API name, authentication type, and credentials (API key, token, etc.).
3

Save

Once saved, the credentials are encrypted immediately. They appear masked in the UI and cannot be retrieved.
4

Use in your apps

When the AI builds an app that uses this Custom API, the credentials are injected securely at runtime. You reference them through the integration system, not by copying the values into your code.

Best practices

When connecting external production databases, enable read-only mode to prevent accidental writes. This is especially important for databases shared across your organization.
If you suspect a credential has been compromised, replace it immediately from the Integrations page. The old value is discarded and the new value is encrypted and deployed on your next deploy.
Set Custom API credentials to “You only” visibility unless the entire team needs access. This limits the blast radius if a credential is misused.
For databases behind firewalls or containing particularly sensitive data, use SSH tunneling to add an extra layer of security beyond TLS encryption.

What’s next