Security
How Mekusheret protects your Morning credentials and your data.
Last updated: July 9, 2026
1. Credential storage
Your Morning API credentials (Key ID and secret) are stored server-side only, encrypted in monday's SecureStorage, which is Vault-backed, namespaced per account as gi_creds:<accountId>. The secret never reaches the browser — the app's screens only ever receive a boolean ("are credentials configured?") and a masked Key ID showing the last 4 digits. The Morning bearer token is held in server memory until it expires and is never persisted or sent to the browser. Only the server process reads credentials at runtime, scoped to each account.
2. Transport security
All communication is over HTTPS/TLS.
3. Session security
Sessions use monday's session token (a JWT) sent in the Authorization: Bearer header — the app uses no cookies at all. The OAuth flow is protected against CSRF by a signed, short-lived state token (JWT).
4. Data minimization
The app reads only the data needed to issue a document, according to your column mapping. Customer personal details are passed to Morning to create the document but are not stored on the app's servers. The invoice ledger lives in your own monday.com account (monday.storage), not on ours.
5. Log hygiene
Logs go only to the monday Code console (there is no external log service). They contain operational identifiers — account IDs, item IDs, invoice IDs and numbers, amounts, currencies, and payment status — plus error messages. They never contain customer names, emails, phone numbers, secrets, or raw tokens.
6. An honest gap: deletion on uninstall
In the interest of transparency: the app does not yet automatically delete your stored Morning credentials when you uninstall it — there is currently no uninstall webhook handler. Until that is in place, email support@mekusheret.app to have your credentials deleted. We are actively working on automated deletion.
7. Responsible disclosure
If you believe you have found a security issue in Mekusheret, please email support@mekusheret.app so we can investigate and fix it promptly. We appreciate responsible disclosure and will work in good faith to resolve legitimate reports.