StorePush

StorePush

Get Started
Documentation

Security

StorePush is designed with security as a priority, handling sensitive Apple credentials and app data responsibly.

User Authentication

StorePush uses session-based authentication (not JWT) with:

  • Email OTP — Passwordless login via one-time codes sent to your email
  • Session management — Sessions are stored in the database with automatic expiry
  • No passwords — Eliminates password-related vulnerabilities

Apple Credential Storage

Your App Store Connect API credentials are stored securely:

  • Private keys are stored encrypted in the database
  • JWT tokens are generated on-demand and are short-lived (10-minute expiry)
  • Tokens are never stored — they are generated fresh for each operation

API Security

All API endpoints enforce:

  • Authentication — Every protected endpoint verifies your session
  • Authorization — App-scoped endpoints verify that you own the app before granting access
  • Input validation — All inputs are validated using Zod schemas
  • CORS — Cross-origin requests are restricted to trusted domains

Data Isolation

  • Each user can only access their own apps and data
  • App-scoped operations always verify ownership before executing
  • Background jobs are queued per-app, ensuring no cross-contamination

Infrastructure

  • HTTPS only — All traffic is encrypted in transit with HSTS enabled
  • Security headers — X-Frame-Options, X-Content-Type-Options, strict Referrer-Policy
  • S3 storage — Screenshots are stored in isolated S3 buckets