Home / Blog / Security

Zero-Knowledge Security: AES-GCM in the Browser

We never see your API keys. Learn how we use the Web Crypto API to encrypt your credentials in session storage.

P
Pageel Team
May 28, 2025
10 min read
Zero Knowledge Security

Security is the #1 concern when using a third-party client for GitHub.

The Threat Model

The most vulnerable place for a secret is in localStorage in plain text. Any XSS vulnerability or malicious browser extension could steal your GitHub token.

Web Crypto API

Pageel uses the browser’s native Web Crypto API for AES-GCM encryption:

const key = await crypto.subtle.generateKey(
  { name: "AES-GCM", length: 256 },
  true,
  ["encrypt", "decrypt"]
);

How It Works

  1. Key Generation: A unique encryption key is generated per session
  2. Token Encryption: Your GitHub token is encrypted before storage
  3. Memory-Only Key: The decryption key exists only in memory
  4. Session Bound: Closing the tab destroys the key

The encryption key is never persisted to disk. Even if someone accesses your sessionStorage, they only find encrypted ciphertext.

What This Means for You

  • Your token is protected even from XSS attacks
  • We (Pageel/REDD) cannot see your credentials
  • Full zero-knowledge architecture
#Security #Encryption #Web Crypto