Secret vault
How your Morning credentials are stored — encrypted server-side, with nothing exposed in the browser.
How credentials are stored
When you connect your Morning account, the API key and secret are sent to the Mekusheret server and stored there encrypted (SecureStorage). They are not kept in your browser — not in local storage and not in cookies.
- Server-side encryption — credentials are stored encrypted at rest
- No secret is returned to the browser after saving
- Issuing documents runs through the server, which uses the credentials without exposing them
What's never exposed in the browser
After you enter and save your credentials, they are never shown in full again. The settings screen shows only an indicator that the connection is active — never the secret itself.
Deleting your credentials
You can disconnect your Morning account at any time from the settings screen. Disconnecting deletes the encrypted credentials from the server, and Mekusheret can no longer issue documents until you reconnect.