OAuth token handling
Social access tokens are stored server-side and used only for connected account publishing and token refresh workflows.
Trust practices
Security and data handling for embedded social publishing.
mypostshare is designed for SaaS teams that need hosted OAuth, social account connection, and publishing workflows. This page documents the practices currently used without claiming certifications that are not yet in place.
API key authentication
Customer API calls use bearer keys. Stored key records use prefixes and hashes so full secrets are not exposed after creation.
Tenant boundaries
Organizations, apps, end users, connections, post requests, and audit logs are scoped to the authenticated organization and app.
Billing separation
Posting usage, credit ledger entries, checkout sessions, and subscription state are kept in dedicated billing records.
Operational visibility
Connect sessions, post requests, delivery outcomes, and audit events are available for support and debugging.
Hosted infrastructure
The API, worker, web app, database, and queue are deployable as separate services for clearer production operations.
Compliance status
No inflated trust claims.
This public trust page is intentionally practical: it lists current security and operational practices. It does not claim SOC 2, ISO 27001, HIPAA, or other third-party certifications until those audits are actually complete.
Current practices
Allowlisted redirect URLs for hosted OAuth return flows.
State-backed connect sessions for provider authorization callbacks.
Per-platform delivery records for published and failed post attempts.
Audit logging for customer-impacting management and publishing actions.
No public claim of SOC 2 certification on this page.