Security & Encryption

RapidAPI for Mac uses high security encryption standards: AES-256 CBC, PBKDF2 key derivation and HMAC SHA-256 signatures. Our goal is to build the safest testing HTTP client.

Keychain Integration

RapidAPI for Mac seamlessly integrates with your Mac's Keychain and lets you pick passwords and SSL Client Certificates from it. The data taken from the Keychain is never persisted by RapidAPI for Mac.

End-to-end encryption

We wanted to make something that works by default for every user, regardless of their level of interest in securing their credentials and knowledge about encryption. In RapidAPI for Mac, password fields are by default secured, and users can manually make any input encrypted.

When syncing projects with RapidAPI for Teams, your credentials stay safe and are encrypted before being synced in the cloud. The encryption key is randomly generated by RapidAPI for Mac locally and is never shared with us, keep it safe as if you loose it we won't be able to help you recover them.

  • Encryption done right.

    RapidAPI for Mac follows the already proven RNCryptor v3 spec, which derivates 256 bits keys from your master passphrase with PBKDF2, encrypts with AES, using unique Initialization Vectors for CBC and applies a HMAC SHA-256 signature to the final cipher text.
  • Secure Interface.

    Requests are only sent to the servers you specify in the URL field and SSL certificates are validated. By default, any sensitive piece of information is obfuscated on screen and is not copied to the clipboard.
  • Your master keys are safe.

    RapidAPI for Mac randomizes master passphrases for you, and stores them in your Mac's Keychain, which is protected like any other secure data on Mac. You may have multiple encryption keys to be used for distinct documents.
  • Everywhere safe.

    While your passwords and private keys are kept secure, we also encrypt your history of HTTP exchanges (request/response pairs) as well as the cookies stored by RapidAPI for Mac.

All the details about encryption

We know how easy it is to make a fatal mistake when designing an encryption process, and obscurity is not an option when it comes down to keeping your data safe. So, we have detailed precisely how our mechanism works:

  • The master passphrase is stored in the macOS Keychain, such as no other application can access it without an explicit grant from the user
  • Encryption uses AES-256 (technically AES with a 256 bits key) and CBC
  • Keys are derivated using PBKDF2 with 100k iterations (we raised RNCryptor's standard from 10k to 100k)
  • New salts and initialization vectors (IV) are generated for each secure entry
  • Cryptographically secure pseudo-random numbers are taken from /dev/random
  • When typing, on each update (key stroke) a new IV is randomized while the key derivation salts are reused
  • To keep the performance high, the derivated keys are cached in-memory
  • To prevent attackers from sniffing the RapidAPI for Mac's memory, we deter attachment of debuggers
  • macOS encrypts memory when swapping to disk, which eliminates the risk of leaving plain text data on disk (see macOS Secure Virtual Memory)

Or, in pseudo-code:

def Encrypt(Passphrase, Plaintext):
  EncryptSalt = Random(8 length)
  EncryptKey = PBKDF2(EncryptSalt, 32 length, 100k iterations, SHA-1, Passphrase)

  HMACSalt = Random(8 length)
  HMACKey = PBKDF2(HMACSalt, 32 length, 100k iterations, SHA-1, Passphrase)

  IV = Random(16 length)

  Header = 0x03 || 0x01 || EncryptSalt || HMACSalt || IV
  Ciphertext = AES256(Plaintext, ModeCBC, IV, EncryptKey)
  HMAC = HMAC(Header || Ciphertext, HMACKey, SHA-256)
  Message = Header || Ciphertext || HMAC
  return Message