Learn more
Mekusheret

Secret vault

How your Morning credentials are stored — encrypted server-side, with nothing exposed in the browser.

How credentials are stored

When you connect your Morning account, the API key and secret are sent to the Mekusheret server and stored there encrypted (SecureStorage). They are not kept in your browser — not in local storage and not in cookies.

  • Server-side encryption — credentials are stored encrypted at rest
  • No secret is returned to the browser after saving
  • Issuing documents runs through the server, which uses the credentials without exposing them

What's never exposed in the browser

After you enter and save your credentials, they are never shown in full again. The settings screen shows only an indicator that the connection is active — never the secret itself.

To rotate a key, just generate a new key in Morning and enter it again. The old key is replaced.

Deleting your credentials

You can disconnect your Morning account at any time from the settings screen. Disconnecting deletes the encrypted credentials from the server, and Mekusheret can no longer issue documents until you reconnect.

If you stop using Mekusheret, we recommend revoking the key on the Morning side too, to make sure no forgotten access remains active.

Need help?

Didn't find what you were looking for? Our support team is here for you.

Contact