Security
API key management, encryption, webhook signatures, and audit logging.
Security
Pipelime implements multiple layers of security to protect your data and communications.
API Key Management
Hashing
API keys are hashed with SHA-256 before storage. The full key is only shown once at creation time.
Scoping
Keys support two scopes:
| Scope | Access |
|---|---|
full-access | Read and write on all resources |
read-only | GET endpoints only |
Revocation
Revoke compromised keys immediately:
Pipelime api-key revoke <key-id>Revoked keys are rejected on the next request.
OAuth Token Encryption
Gmail OAuth refresh tokens are encrypted at rest using AES-256-GCM. The encryption key is derived from a server-side secret and is never exposed.
Webhook HMAC Signatures
All webhook deliveries are signed with HMAC-SHA256. Verify signatures to ensure payloads are authentic:
import crypto from "crypto";
const expected = crypto
.createHmac("sha256", webhookSecret)
.update(rawBody)
.digest("hex");
const isValid = signature === `sha256=${expected}`;See the Webhooks Guide for full implementation details.
Rate Limiting
| Authentication | Limit |
|---|---|
| API Key | 100 requests/minute |
| Session | 200 requests/minute |
Rate limit headers are included in every response. See Authentication for details.
Audit Logging
Pipelime logs all significant actions:
- API key creation and revocation
- Campaign lifecycle changes (create, start, pause)
- Contact data modifications
- Email account connections and disconnections
- Webhook configuration changes
- Organization settings updates
Audit logs are accessible in Settings → Audit Log and via the API.