Skip to main content

Security Overview

Your health data is sensitive. Here's how Wellpipe keeps it safe.

Core Principles

1. Minimal Data Storage

We store only what's necessary:

  • ✅ Encrypted OAuth tokens (to access your health provider)
  • ✅ Usage logs (for rate limiting and analytics)
  • ❌ No health data stored
  • ❌ No sleep, recovery, or workout data retained

Your actual health data is fetched on-demand from your health provider and returned to your AI assistant without being stored.

2. Encryption at Rest

OAuth tokens are encrypted using AES-256-GCM:

  • Industry-standard encryption algorithm
  • 256-bit encryption keys
  • Authenticated encryption (prevents tampering)
  • Keys stored separately from encrypted data

3. Encryption in Transit

All connections use HTTPS/TLS 1.3:

  • Data encrypted between your browser and Wellpipe
  • Data encrypted between Wellpipe and health providers
  • Modern cipher suites only

4. Read-Only Access

Wellpipe only requests read permissions:

  • Cannot modify your health data
  • Cannot change your WHOOP settings
  • Cannot delete any of your data

Token Security

Access Tokens

  • Short-lived (1 hour)
  • Used for API requests
  • Automatically refreshed

Refresh Tokens

  • Used to get new access tokens
  • Encrypted before storage
  • Can be revoked anytime

Token Handling

  1. Received from health provider during OAuth
  2. Encrypted immediately using AES-256-GCM
  3. Stored in encrypted form in database
  4. Decrypted only when making API requests
  5. Never logged or exposed in responses

API Key Security

Your Wellpipe API key:

  • Unique to your account
  • Hashed before storage (we can't read it)
  • Can be regenerated anytime
  • Required for all AI assistant access

Keep your API key private. Anyone with your key can access your health data.

Authentication

User Authentication

  • OAuth with Google, Apple, or Facebook
  • No passwords stored
  • Sessions managed by NextAuth

Provider Authentication

  • OAuth 2.0 with PKCE (where supported)
  • State parameter for CSRF protection
  • Secure token exchange

Audit Logging

We log security events:

  • Provider connections/disconnections
  • API key generation/revocation
  • Authentication attempts

Logs don't contain health data.

Rate Limiting

Protection against abuse:

  • 1,000 requests/month (free tier)
  • Rate limit headers in responses
  • Prevents credential stuffing attacks

What We Don't Do

  • ❌ Share data with third parties
  • ❌ Use data for AI training
  • ❌ Sell or monetize your data
  • ❌ Access data without your request
  • ❌ Store health data

Open Source

Core packages are open source:

Review the code yourself or self-host for maximum control.

Reporting Security Issues

Found a vulnerability? Please email security@wellpipe.io.

We take security reports seriously and will respond within 48 hours.