Practical security,
built into the workflow.
Security is part of how the Optomus workflow operates: protecting your accounts, your content, and every platform you connect.
OAuth 2.0
Scoped social connections
TLS 1.2+
Encrypted in transit
Platform rules
Official API workflows only
Zero-password
No social passwords stored
How it works
Security at every step
From sign-in to publishing, here's exactly how we protect your data and connected platforms.
You sign in
JWT tokens are issued on login — short-lived access tokens plus rotating refresh tokens. Your password is hashed and never stored in plain text.
Connect your platforms
OAuth 2.0 flows take you directly to each platform's own login page. We receive a scoped token — never your credentials. You can revoke it any time.
Create & publish
Every API call is authenticated and rate-limited. Publishing actions are logged with timestamps. Platform tokens are encrypted at rest.
Your data stays yours
We collect only what's needed to run the service. No data sold, no ad tracking inside the app. Export or delete your account at any time.
Authentication & Access
Every login, session, and permission is treated as a potential attack surface.
JWT-Based Authentication
Short-lived access tokens (15 min) plus secure refresh token rotation (30 days). Stolen tokens expire fast and are invalidated on logout.
Email Verification
Every account requires email verification before accessing the platform — preventing unauthorized signups and protecting your workspace from the start.
Role-Based Access Control
Granular team permissions let brand owners control exactly who can create, edit, approve, and publish content — nothing more.
Session Management
Active sessions are tracked and can be revoked from any device. Logging out invalidates all tokens — no ghost sessions.
Data Protection
Your content, credentials, and platform tokens are protected end-to-end.
Encrypted at Rest & in Transit
All data is encrypted in transit with TLS 1.2+. Sensitive credentials and OAuth tokens are encrypted at rest — never stored in plain text.
OAuth 2.0 Platform Connections
We never store your social media passwords. LinkedIn, Meta, X, and TikTok connect via official OAuth 2.0 flows with scoped, minimum-required permissions.
Minimal Data Collection
We collect only what we need to deliver the service. No selling data, no third-party ad tracking inside the app, no surprise integrations.
Token Revocation
Disconnect any connected platform instantly from your settings. This immediately revokes our access — no support ticket, no delay.
Operations & Reliability
Monitoring, limits, and logging keep the platform safe and accountable.
Rate Limiting & Abuse Prevention
All API endpoints are rate-limited to prevent brute-force and abuse. Failed auth attempts trigger progressive delays.
Infrastructure Security
Production systems run in isolated environments. Dependencies are regularly audited and updated. No direct database access from the public internet.
Audit Logging
All publishing, permission changes, and connection events are logged with timestamps and request IDs — giving you a full audit trail.
Compliance
Platform compliance
Optomus integrates with social platforms through their official APIs and adheres to each platform's terms of service and rate limits.
We request only the minimum required permissions for each platform connection. You can revoke access at any time from your connections settings — no support ticket needed.
For details on how we handle your data, review our Privacy Policy and Terms of Service.
Security questions
Common questions about how we protect your account and data.
Do you store my social media passwords?
Never. All platform connections use OAuth 2.0 — you log in directly on each platform's own page and we receive a scoped access token. Your credentials never touch our servers.
Can I revoke Optomus's access to a platform?
Yes, at any time. Disconnect any platform from your connections settings and we immediately stop using that token. You can also revoke access from within each platform's own security settings.
What permissions do you request?
Only the minimum required to publish and read analytics. We request read/write for content, read-only for insights, and nothing more. The exact scopes are listed during the connection flow.
How are my access tokens protected?
OAuth tokens for connected platforms are encrypted at rest using industry-standard encryption. In transit, all communication uses TLS 1.2 or higher.
What happens to my data if I delete my account?
Your content, connected accounts, and profile data are deleted from our systems. You'll receive a confirmation once the deletion is complete.
Trust starts with transparency.
Have security questions? We're happy to share our security approach with your team.