Trust
Security at push8
Push8 connects to your n8n. That means your API key lives in our database. Here's exactly how we handle it — no jargon.
Your n8n API key
- • Encrypted with AES-GCM using a server-only secret before it's written to the database. The database never sees the plaintext.
- • Decrypted only in a server function, only when you push or fetch from n8n. Decryption never happens in your browser.
- • We store the last 4 characters of the key so you can recognise which key is connected — nothing else is exposed.
- • You can disconnect at any time from Studio → Connections; the row is hard-deleted.
Access control
- • Every table that holds your data has row-level security scoping rows to
auth.uid(). Other users — including other push8 customers — cannot read your connection, chats, or workflows. - • Admin tooling is gated by a separate
user_rolestable; admins can see waitlist/usage metadata, not your secrets. - • Sign-in uses Lovable Cloud auth (email + Google). Sessions are stored in your browser's local storage and refreshed via short-lived tokens.
When we proxy to n8n
- • Push, test, and execution-status calls all go through our server. The browser never holds your n8n key.
- • We forward only the minimum payload n8n needs (name, nodes, connections, settings) — never your other workflows.
- • Errors from n8n are translated into plain-English hints; raw payloads are not echoed verbatim to the UI.
What we don't do
- • We don't log your API key, your workflow execution data, or the bodies of HTTP requests your workflows make.
- • We don't share your data with third parties for marketing.
- • We don't train AI models on your workflows. The AI gateway we use to generate workflows is contractually no-retention.
What we do store
- • Your account: email, display name, sign-in provider.
- • Your chats and the workflow JSON they produced.
- • Encrypted n8n connection (URL + ciphertext + last-4 hint).
- • Usage counters (model + token counts) so we can enforce monthly limits — no prompt content beyond a 200-char preview for debugging.
Report a vulnerability
Found something? Email security@push8.dev with steps to reproduce. We aim to acknowledge within 48 hours and won't pursue researchers acting in good faith.
Last updated 10 July 2026.