Security

Rotate your API keys regularly, especially if you suspect a key has been compromised:

1. Generate a new key in Settings → API Keys
2. Update your environment variables with the new key
3. Deploy your application with the new key
4. Verify the new key works correctly
5. Revoke the old key from the dashboard

We recommend rotating keys every 90 days as a security best practice.

Always verify webhook signatures to ensure requests originate from Mailpipe:

import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

// In your webhook handler:
app.post('/webhooks/mailpipe', (req, res) => {
  const signature = req.headers['x-mailpipe-signature'];
  const isValid = verifyWebhookSignature(
    JSON.stringify(req.body),
    signature,
    process.env.MAILPIPE_WEBHOOK_SECRET
  );

  if (!isValid) {
    return res.status(401).json({ error: 'Invalid signature' });
  }

  // Process the webhook...
});

• check_circleTLS 1.2+ — All API connections require TLS. HTTP requests are rejected.
• check_circleAt-rest encryption — API keys are hashed with SHA-256 before storage. Email content is encrypted at rest in Supabase.
• check_circleProvider credentials — Email provider API keys (Resend, Postmark, etc.) are encrypted with AES-256 before storage.
• check_circleDKIM signing — All outbound email is DKIM-signed for authentication and integrity.

• check_circleEmail data is stored in your organization's isolated Supabase schema
• check_circleRow-level security ensures users only access their organization's data
• check_circleWe never read or analyze your email content
• check_circleYou can delete all data at any time from Settings