Security
Credential Encryption
Your App Store Connect and Google Play credentials are encrypted before storage. ReviewTower cannot read them in plaintext.
How encryption works
When you save credentials in ReviewTower, they are encrypted using AES-256-GCM before being written to the database. The encryption key is stored separately from the encrypted data — it is never co-located with the credentials in the database.
Decryption happens only at runtime, inside the API route handler, at the moment a sync job needs to authenticate with Apple or Google. The decrypted credential is held in memory just long enough to complete the API call and is never written to a log or secondary storage.
What we store
| Field | Stored as |
|---|---|
| App Store Connect private key (.p8) | AES-256-GCM ciphertext |
| App Store Connect Key ID | Plaintext (non-secret identifier) |
| App Store Connect Issuer ID | Plaintext (non-secret identifier) |
| Google Play service account JSON | AES-256-GCM ciphertext |
Key management
The encryption key is loaded from an environment variable (CREDENTIAL_ENCRYPTION_KEY) at server startup. It is never persisted to the database or included in source code. In production, it is injected as a secret by the hosting environment.
Recommendations
- Create a dedicated App Store Connect API key for ReviewTower with the minimum required role (Customer Support). Do not reuse keys across services.
- Use a dedicated Google Play service account with only the permissions ReviewTower requires. Revoke it immediately if you stop using ReviewTower.
Related docs