Credentials & Security
How Rankturn protects the API keys, tokens, and passwords you store for each integration, and what it never logs.
When you connect a publishing platform or analytics provider, Rankturn has to store something secret on your behalf — a WordPress application password, a Webflow API token, a Ghost Admin API key, a GitHub token, and so on. Those secrets are never kept as readable text. Each one is stored encrypted, and is only unlocked on our server at the moment a publish or sync actually runs. Here's what is protected and how it's handled.
How your secrets are stored
Every secret you enter is encrypted securely before it is saved. Even if someone could read the stored data directly, your keys and passwords would be unreadable.
Two things make this strong:
- Each secret is locked separately. Two connections that happen to use the same password don't look the same in storage, so you can't tell from the stored data that they match.
- The unlock key never leaves our server. The single key that can decrypt your secrets lives only in the server environment. It is never saved next to your data and is never sent to your browser.
Settings you can see vs. secrets you can't
Not everything you enter on a connection is a secret. Each connection stores ordinary settings and protected secrets side by side. For example, a Ghost connection keeps its site URL and chosen publish format as plain, readable text, right next to the encrypted Admin API key.
| Stored as plain text | Stored encrypted |
|---|---|
| Site / base URLs (e.g. Ghost URL, Webflow site, WordPress URL) | API keys |
| Format and behavior choices (e.g. publish format, sync settings) | Tokens |
| Display details shown back to you in the edit screen | Passwords / API secrets |
This is why a non-secret setting like a site URL shows up in the edit screen, while the API key field does not — the URL was never secret, so there's nothing to hide.
Reconnecting: reuse your saved key or enter a new one
When you open Settings → Integrations and edit a connection you already set up, you do not have to paste your API key or token again. Leave the secret field blank, and Rankturn keeps the secret you saved previously.
The rule is simple:
- Leave a secret field blank → your previously saved secret is kept exactly as it was.
- Type a new value into a secret field → the old secret is replaced with the new one.
A blank field never erases a saved secret — it means "keep what's there." Ordinary settings (URLs, format choices) are always taken fresh from the form when you save, so updating just your site URL is as easy as typing it and leaving the key field empty.
If a connection offers a "test" step, it can still verify your saved secret even when you left the key blank, because Rankturn unlocks the stored value on the server to run the test.
What is never logged
Encryption only matters if secrets don't leak through logs and error messages. Rankturn keeps them out of those paths:
- Secrets are only unlocked on the server, at the moment a publish or sync runs. They are held in memory just long enough to make the request to your platform, and are never written back anywhere.
- The unlock key is never logged or exposed. It is used in memory only, never saved to the database, and never sent to the browser.
- Secrets are never sent to your browser. The edit screen shows your ordinary settings (like your site URL), but secret fields are never pre-filled with the saved value — which is also why reconnecting works by leaving them blank.
- Connection errors don't echo your secret. When a platform rejects your credentials, the message tells you that sign-in failed, not the key itself.
One practical note: the unlock key is the single thing that protects everything, so it is deliberately kept out of the database and out of every log.
For where these secrets get used, see Integrations and the individual platform pages such as WordPress, Webflow, GitHub, Notion, and Ghost.