PostRelay

FeaturesPricing

Connected account security

How PostRelay protects your tokens and API access

Some publishing platforms use OAuth, while others ask for an API key, token, or app password. PostRelay treats all of those as secrets and handles them on the server with encrypted storage.

Server-side verification

When a platform asks for a token, API key, or app password, PostRelay sends it to server routes for verification instead of storing it in the browser.

Encrypted before database write

Stored access and refresh tokens are encrypted with application-layer AES-256-GCM before they are written to the database.

Key kept outside the database

The encryption key lives in the server environment, not in PostgreSQL, so a database dump alone is not enough to recover plaintext tokens.

Used only for publishing workflows

For providers that support refresh, PostRelay refreshes server-side tokens only when needed so scheduled publishing can keep working.

What We Store

Only the credentials needed to publish on your behalf

  • API key providers such as Hashnode, DEV.to, and legacy Medium require a token you generate inside that platform.

  • Bluesky uses an app password only to create a session. PostRelay stores the returned session tokens instead of your main account password.

  • OAuth providers such as LinkedIn, Reddit, Threads, and Mastodon return tokens after you approve access on the provider side.

How We Use It

Only for connected-account actions you expect

  • Verify that the credential belongs to the right account

  • Load publish targets such as blogs or publications when the provider supports them

  • Publish or schedule content that you explicitly send through PostRelay

  • Refresh expiring tokens for providers that support refresh flows

PostRelay does not need your main password for providers that offer app passwords or OAuth, and stored credentials are not shown back in the dashboard UI after you connect them.

Your Control

You can rotate, revoke, or disconnect at any time

  • Disconnect the account in workspace settings to stop future use from PostRelay.

  • Revoke or rotate the token from the platform itself whenever you want a fresh credential.

  • Prefer dedicated app passwords or integration-specific tokens where a provider offers them.

For broader details on data handling, read the Privacy Policy.