Security notes for customers and provider reviewers

Social platform access and refresh tokens are encrypted at rest using AES-256-GCM before storage. They are decrypted only in memory when publish or token-refresh work needs to run and are not intentionally exposed through the public API surface.

Temporary connection-session credentials used during multi-step provider onboarding are also stored server-side and cleared when the connection flow reaches a terminal state or expires.

Webhook signing secrets are stored encrypted at rest and are not returned through the user-facing webhook listing APIs.

Production dashboard and API traffic is served over HTTPS. PostMantis is designed so credential exchange, API requests, and webhook delivery configuration do not rely on plaintext transport in normal operation.

External API access is authenticated through user-scoped bearer API keys. Dashboard access uses product authentication before exposing that user’s connected data.

API keys, connected profiles, and post workflows are scoped to the current user to reduce accidental cross-user access.

API key creation, revocation, and webhook destination management are dashboard-managed actions rather than public API write operations.

• Idempotency keys are used when creating post workflows.
• Publish work is executed through an embedded background worker runtime, not inline request paths.
• Post creation and draft publish endpoints are acceptance commands, not sync publish calls.
• Delivery states and audit events are stored durably in Postgres.
• Queue drift is reconciled through an embedded recovery loop in the monolith.
• Signed webhook delivery is supported for dashboard-configured destinations and runs through the same durable monolith runtime as publishing workflows.

PostMantis is infrastructure for SaaS products, internal tools, agencies, and automation systems that need to publish social content on behalf of authenticated users.

Users connect social accounts they own or are authorized to manage in the dashboard. PostMantis stores those publishable destinations, accepts content through the dashboard or public API, and dispatches publish work to the connected provider accounts.

For connected providers, PostMantis is designed to access only the data needed for account identity, destination management, authorization maintenance, publishing, and delivery status for posts published through the Service. This includes fields such as provider account IDs, display names, usernames or handles, profile image URLs, provider-side post IDs, publish timestamps, delivery states, and error details.

PostMantis is not designed to access private messages, direct messages, or unrelated account data outside those workflows.

Account connection, API key creation, and webhook configuration are dashboard-managed control-plane actions. Runtime publishing happens through the public API and follows the documented async workflow, status model, and webhook contracts.

For security, privacy, support, or platform-review questions, contact [email protected].

Responsible disclosure is welcome. PostMantis aims to acknowledge security reports within 2 business days.

You can also review the privacy policy and the post lifecycle guide for more detail on data handling and workflow behavior.

Security notices are handled by postmantis, operating from Country pending configuration.