Skip to main content

Security

Your connection stays protected

RelayDesk was built by traders who know exactly what it feels like to connect a broker account. Here's how we keep your access secure and why your funds never leave your broker.

Controls

Defense in depth

Multiple layers of encryption, isolation, and monitoring protect every connection and trade.

Secure OAuth Connection

RelayDesk connects to your broker via OAuth — we never see or store your login credentials. You authorize access directly with your broker.

  • No passwords or API keys stored on our servers
  • You control permissions granted during OAuth flow
  • Revoke access anytime from your broker's settings

No Access to Funds

RelayDesk only submits orders via broker APIs. Your capital never moves through our infrastructure.

  • Trading permissions only, no withdrawals
  • Orders settle directly at your broker
  • Your broker's security and regulatory protections apply

Secure Session Management

HttpOnly cookies, SameSite settings, and managed session expiry keep your account locked down.

  • 7-day session expiration
  • PostgreSQL-backed session storage
  • Automated invalidation on logout or password reset

Firebase Authentication

Authentication runs on Google Firebase with enforced password requirements and email verification.

  • Google OAuth + email/password
  • Token-based auth with automatic expiration
  • Email verification required for access

Per-User Data Isolation

Strict data-layer guards keep every strategy, bot, and fill scoped to a single account.

  • User scoping at the DB level
  • Foreign keys enforce referential integrity
  • No cross-account queries

TLS 1.3 Everywhere

Traffic between your browser, RelayDesk, and our APIs is encrypted end-to-end.

  • HTTPS enforced across the stack
  • Automatic certificate rotation
  • Secure cookie transmission only

Extra safeguards

Security practices we live by

Security is a habit, not a one-off project. These are the policies that guide our daily operations.

  • OAuth tokens are encrypted at rest and never logged
  • Webhook endpoints validate signatures to block spoofed traffic
  • Real-time monitoring uses read-only permissions
  • Encrypted backups with automated rotation
  • Frequent dependency updates and security scans

Broker relationship

Your funds stay with your broker

RelayDesk is automation software, not a broker-dealer. We never hold or move your capital. Your broker maintains custody of all positions with their regulatory oversight.

What RelayDesk can do

Submit and manage trades using the permissions you grant via OAuth.

What RelayDesk cannot do

Withdraw cash, transfer positions, or access your broker login credentials. All custody and regulatory coverage remains with your broker.

Need details?

Ask anything about our security posture

We are transparent about how RelayDesk works. Reach out if you need a walkthrough before connecting credentials.

Contact supportView terms of service