Security

Last updated: March 28, 2026

Limited Data Use

SheetZapi is designed with a minimal data footprint. When your API receives a request, we proxy the response from Google Sheets in real time and return it directly to the caller. We do not persist your spreadsheet contents to our database or any long-term storage. Your data passes through our infrastructure momentarily and is never written to disk beyond your configured response cache TTL.

What We Do Store

To operate the service, we store only the minimum necessary data:

  • Sheet names, sheet IDs, and your API configuration settings
  • Google OAuth access and refresh tokens (encrypted at rest in Supabase)
  • API keys stored as SHA-256 hashes:the plaintext key is shown only once at creation and never stored
  • IP addresses of incoming API requests, used for rate limiting and IP allowlisting
  • Request logs (method, path, status code, timestamp) for paid plan users, retained for 90 days

Authentication

User authentication is handled by Supabase Auth with Google OAuth. We never store your Google account password. OAuth tokens are used exclusively to read the Google Sheets you explicitly connect to SheetZapi, and can be revoked at any time via your Google Account settings.

API access is authenticated via API keys sent in the X-API-Key header. Each key is scoped to your account and can be independently revoked from the dashboard.

API Key Security

  • API keys are shown only once at the moment of creation. Copy and store them securely
  • Keys are stored in our database as SHA-256 hashes; even SheetZapi staff cannot retrieve your plaintext key
  • You can create multiple keys per account and revoke any key instantly from the dashboard
  • Rate limiting is enforced per key according to your plan limits

Encryption

  • All traffic between clients and SheetZapi is encrypted over HTTPS/TLS
  • All traffic between SheetZapi and Google Sheets is encrypted in transit
  • Data at rest (account data, OAuth tokens, API key hashes) is encrypted by Supabase using AES-256

Third-Party Suppliers

SheetZapi relies on the following trusted infrastructure providers:

  • Supabase:authentication, PostgreSQL database, and row-level security. Data is encrypted at rest and in transit.
  • Stripe:payment processing. SheetZapi never handles or stores raw card data. All payment data is collected and stored by Stripe under their PCI DSS Level 1 compliance.
  • Vercel:application hosting and global CDN. All requests are served over HTTPS with automatic TLS certificate management.

Responsible Disclosure

If you discover a security vulnerability in SheetZapi, please report it responsibly by emailing [email protected]. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and address it. We appreciate responsible disclosure and will acknowledge your report promptly.