YOUR KEY.
YOUR DATA.
Moosermail is designed so that nobody -- not even us -- can read your Resend API key or access your emails without your credentials.
ENCRYPTION AT REST
AES-256-GCM
Your Resend API key is encrypted with AES-256-GCM before it touches the database. Each key gets a unique initialization vector (IV) and authentication tag. The encryption key exists only in the container's runtime environment -- never on disk, never in the database, never in logs.
Even with full database access, the raw key is unrecoverable without the ENCRYPTION_KEY environment variable.
AUTHENTICATION
BCRYPT + JWT
Passwords are hashed with bcrypt at 12 rounds. Session tokens are JWTs signed with HS256 and expire in 24 hours. Cookies are httpOnly, secure, sameSite=lax.
PERSISTENT API KEYS
API keys (mk_...) are SHA-256 hashed before storage. The raw key is shown exactly once at creation and never stored. Keys support configurable expiry: never, 7 days, 30 days, 90 days, 6 months, or 1 year.
INFRASTRUCTURE
- Self-hosted Postgres on a dedicated VPS (DigitalOcean)
- All containers run as non-root users
- Read-only filesystems with tmpfs for writable directories
- No-new-privileges security option on every container
- Memory and CPU limits on every container
- Postgres on an internal-only Docker network -- no external access
- No port exposure for the database -- containers only
- Nginx with TLS 1.2+, HSTS preload, strict CSP headers
- Rate limiting: 10 req/min on API routes, 60 req/min on web
WEBHOOK VERIFICATION
PER-USER WEBHOOK URLS
Every user gets a unique webhook endpoint. No guessing who owns an event. Optional Resend signing secret verification via svix -- if set, every payload is cryptographically verified.
DATA ISOLATION
- Every database query is parameterized (no SQL injection vectors)
- Every API route verifies resource ownership before returning data
- User A cannot access User B's emails, templates, triggers, or contacts
- Team access is role-based: owner, admin, member with granular permissions
- No user enumeration on signup (duplicate emails return 201 silently)
- Generic error messages on 500s -- internal details logged server-side only
WHAT WE DON'T DO
- We don't store your Resend API key in plain text. Ever.
- We don't read your emails. The MCP server decrypts your key per-request and never caches it.
- We don't sell data. There's no analytics, no tracking pixels, no third-party scripts on the app.
- We don't have a "god mode." There's no admin panel that lets us log in as you.
The CLI is open source on GitHub. The web app is proprietary.
GET STARTED FREE