Security

All traffic between your browser and outlay is encrypted over HTTPS/TLS.

Passwords are hashed (never stored in plain text). You can also sign in with Google.

New accounts verify ownership of their email with a one-time code, and password resets require a code sent to your email.

Sessions use signed tokens (JWT).

Data is stored on Convex's managed backend. Every request is authorized on the server so that you can only ever read or change your own subscriptions.

If you believe you've found a security issue, please report it privately via vorlos.eu so it can be addressed before public disclosure.