How we protect your credentials
What happens to the API keys and network credentials you save on RoyLead - encryption, masking and usage.
Updated on July 11, 2026
When you connect a network (Worldfilia, DR.CASH, Flamyfox, etc.) or an external tool, you entrust us with credentials. This page explains exactly how we handle them.
Encrypted before they touch the database
Every credential is encrypted with AES-256-GCM — the same standard used by banks and cloud providers — before being saved. No plaintext copy ever exists in the database: even in the event of unauthorized database access, your credentials would be unreadable without the encryption key, which is stored separately on the server and never lives in the database.
Never shown in plaintext
Once saved, network credentials are never displayed to anyone again — not even to you. On the Settings → Credentials ↗ page you only see a masked placeholder: the interface knows that a credential is configured, but cannot read it. They are effectively write-only: you can overwrite them at any time, but not read them back.
Used only for what they're for
Credentials are decrypted by the system exclusively at the moment they are needed: forwarding your leads to the network, reading a lead's status, or performing the action you connected the tool for. They are never used for anything else and never shared with third parties.
All communication — from your browser to RoyLead and from RoyLead to the networks — always travels over HTTPS (encrypted connection).
This applies to all credentials
The same database encryption covers everything you save on RoyLead:
- network credentials (API keys, tokens);
- the webhook token for postbacks;
- keys for connected tools (Cloudflare, ElevenLabs, Twilio, fal, etc.);
- advertising tokens (e.g. Meta).
One difference: the webhook token stays visible on the page, because you need to paste it into the networks' panels to set up postbacks. It is still stored encrypted in the database, and you can regenerate or revoke it at any time.
Tips on your side
- Where the network allows it, use an API key dedicated to RoyLead instead of reusing one you use elsewhere: if you ever want to revoke access, just regenerate it from the network's panel.
- To replace a credential, simply reopen the network in Settings → Credentials ↗ and save the new value: the old one is overwritten.
If you have any doubts or questions about your account's security, open a support discussion: we answer directly.
Ready to put this into practice?
Create your RoyLead account and start in minutes.