Your accounts. Your keys. Your call.

How credentials are protected

Connecting a source means trusting tokenkarma with a credential: an API key, or a token tied to a subscription. That trust is the whole product, so the handling is strict and the same for every secret, on every plan.

• Credentials are encrypted at rest with AES-256-GCM, with a unique IV per secret. No secret is ever stored in clear text.
• Decryption is transient: a secret is decrypted only for the duration of a collection run, then discarded from memory. Decrypted values are never written to logs, error reports or analytics.
• API keys are used for exactly one thing: reading usage and cost data from your providers. tokenkarma never writes to your provider accounts and never sends requests on your behalf.
• In the interface, secrets are always shown masked: the last 4 characters, nothing more. There is no "reveal" button, by design.

Where your data lives

tokenkarma runs on Cloudflare infrastructure in the EU region, and payment processing is handled by Stripe in the EU. The privacy policy lists every subprocessor and exactly what each one sees. There are no resellers and no data brokers in the chain.

Revoking access, step by step

Removing tokenkarma's access to a provider takes one click and is designed to leave nothing behind:

• Open your dashboard, go to the source you want to disconnect, and revoke the credential.
• The revocation is a hard delete, effective immediately. Collection for that source stops at once; there is no grace period and no soft-delete limbo.
• Device tokens are read-only and revocable one by one, so you can cut off a single machine without touching the rest of your setup.
• For defense in depth, you can also rotate or revoke the key on the provider's side; tokenkarma will simply stop collecting and tell you the source is unreachable.

Sessions and sign-in

Sign in with Google, GitHub or a 6-digit email code. tokenkarma stores zero passwords: there is no password database to breach, and nothing to reuse. Your active sessions are listed in your account with their device and age, and you can terminate any of them yourself, instantly, without contacting support.

Your data, your rights

• Export everything we hold about you, self-service (GDPR art. 15). One click, a complete machine-readable archive.
• Erase everything we hold about you, self-service (GDPR art. 17). No email thread, no retention tricks, no "we will process your request within 30 days".
• Delete your account entirely, yourself. Erasure and deletion are buttons, not support tickets.

Details on what is collected, why, and where it lives: privacy policy.

Reporting a vulnerability

If you believe you have found a security issue in tokenkarma, write to [email protected]. Reports are read by the founder and answered. Please include enough detail to reproduce the issue.