Security
Your panel API keys are encrypted before they touch our database, masked after you save them, and never visible to us in plaintext through any user interface or log.
Last updated 2026-05-11
What we store / What we don't
β We store
Ciphertext of your API key. Panel URL and name. Current balance. Order history. Encrypted WooCommerce credentials. Optional Telegram bot token (encrypted).
β We don't store
Plaintext API keys. Your panel password. Your WooCommerce admin password. Payment information (we don't take payment). Browsing data.
How encryption works
We use AES-256-GCM with a random 16-byte initialization vector per record. The master encryption key lives in our hosting provider's environment variables, kept separate from the database. When you paste a key, we encrypt it in the request handler and store only the ciphertext plus the last 4 characters for display.
The honest caveat
Could a determined operator with full server access decrypt your keys? Technically yes β background jobs need to decrypt every few minutes to submit your orders. We chose this trade-off so PanelPilot works while you sleep. Here's how we mitigate it: keys are never returned to the UI, never logged, masked everywhere, and the encryption key is stored separately from the database credentials.
What you can do
- 1.Create a sub-user on your SMM panel with 'place orders' permission only. Use that key with PanelPilot β not your admin login.
- 2.Store the key in a password manager like Bitwarden so you can rotate it from one place.
- 3.Rotate every 90 days using the Rotate button on the Panels page.
- 4.If you suspect compromise, use the Revoke button β your key is removed immediately and the panel is disabled.
Responsible disclosure
If you find a security issue, email security@panelpilot.app. We read every report and respond within 48 hours.