Plain answers about how your account and your BlueSky credentials are protected. Everything on this page is exactly how it works — no security theater.
ONYX uses a BlueSky app password — not your real password. You create it in BlueSky settings, it can't change your password or email, and you can revoke it any time with one click. We encrypt it with AES-256-GCM and never log it.
Your BlueSky app password is encrypted with AES-256-GCM before it touches the database. The encryption key lives separately on the backend as an environment variable — it is never stored next to the data it protects.
Your ONYX account password is hashed with bcrypt. We can't read it, we can't recover it, and neither can anyone who somehow got the database. Sessions use expiring JWT tokens.
All payments run through Stripe. Your card number goes to Stripe directly — it never passes through or gets stored on ONYX servers. We never see it.
Every connection to ONYX — the site, the API, and our calls to BlueSky — runs over HTTPS/TLS. No plaintext traffic, ever.
Want a second lock on your account? Turn on two-factor authentication in Settings. It uses any standard authenticator app (Google Authenticator, Authy, 1Password) plus one-time backup codes for when your phone isn't handy. Off by default — yours to enable.
The site runs on Vercel, the API on Render, the database is Postgres on Supabase, and job queues run on Upstash Redis. All established providers with their own security programs — we name them so you can check.
Want out? Email support@onyxhq.us and your account and all associated data get deleted. Deletions are permanent. Revoking your app password in BlueSky settings cuts ONYX off instantly, any time.
ONYX is built solo and doesn't hold a SOC 2 certificate or run a formal audit program — small products that claim those things are usually lying. What you get instead is the short, true list above and a direct line to the person who wrote the code. Found a vulnerability? Email support@onyxhq.us and it gets fixed fast.