Skip to content

Security

Email hosting means holding things that matter: your messages, your passwords, and API keys for your domain registrar. Here’s concretely how Faivelo protects them — no hand-waving.

Encryption at rest

Registrar API keys (the Cloudflare, GoDaddy, Namecheap, or Route 53 credentials you provide for automatic DNS setup) are encrypted with AES-256-GCM before they’re stored. They’re decrypted only at the moment Faivelo talks to your registrar, and they’re never shown back to you in the dashboard.

Mailbox passwords are also AES-256-GCM encrypted at rest. They have to be encrypted rather than hashed because the mail server needs the real password to authenticate your email apps — which is why Faivelo shows a mailbox password exactly once, at creation. After that, nobody can read it out of the dashboard, including you. If it’s lost, you reset it; you don’t recover it.

Your account email address is encrypted at rest as well, with a separate keyed hash used for login lookups — so even the address you sign in with isn’t sitting in the database as plain text.

Your account password

Your Faivelo login password is hashed with bcrypt (12 rounds), never encrypted and never stored in a recoverable form. Faivelo cannot read it, and a database leak would not reveal it. Password resets always issue a new one — there is no “email me my password.”

Sessions

Signing in issues a signed session token stored in an httpOnly cookie. “httpOnly” means the browser withholds it from any JavaScript running on the page, so a script injected into your browser can’t steal your session. The cookie is scoped to Faivelo and expires on its own.

API keys

Developer API keys are shown once at creation, then only an HMAC-SHA256 hash is stored — Faivelo can verify a key but can never display it again. Keys support:

  • Scopes — a key gets only the permissions you grant it.
  • Mailbox restriction — a key can be limited to specific mailboxes instead of your whole account, which is the right setup for AI agents and third-party tools.
  • Expiry and revocation — set an expiry date, see when each key was last used, and revoke any key instantly from Settings → API keys. A revoked key stops working immediately.

If a tool or agent you connected no longer needs access, revoke its key. That’s the whole off-switch.

Connected apps

Apps you connect with OAuth — like Claude via the MCP connector — never see a long-lived key at all. They get short-lived access tokens (about an hour) that rotate automatically, scoped to exactly the mailboxes you picked on the consent screen. Every connection is listed under Settings → Connected apps, and disconnecting one instantly revokes all of its tokens.

Audit log

Faivelo keeps a per-account audit log of significant actions — what was done, to what, from which IP address, and when. If something looks off in your account, there’s a trail to check rather than guesswork.

What you should do on your end

Security is shared. The short list:

  1. Use a strong, unique password for your Faivelo account — it’s the key to everything else.
  2. Save mailbox passwords in a password manager when they’re shown at creation; they won’t be shown again.
  3. Give API keys the narrowest scope that works, and revoke keys you no longer use.
  4. Use registrar API tokens with limited permissions where your registrar supports it (for example, a Cloudflare token scoped to DNS on one zone), rather than a global account key.

Next steps