Skip to main content

Privacy Policy

Last updated: 2026

1. Who We Are

This service is operated by nik2208 and provides the @nik2208/node-auth library — a database-agnostic JWT authentication toolkit for Node.js. The library can be configured programmatically or via the companion MCP server using AI assistants (VS Code Copilot, Cursor, Claude Desktop, etc.).

2. Data We Collect

When you authenticate via OAuth (Google or GitHub) we receive and store the following data provided by the OAuth provider:

  • Email address
  • Display name (first and last name)
  • Profile picture URL
  • OAuth provider identifier (user ID from Google / GitHub)

We also store:

  • JWT refresh tokens (hashed) for session management
  • API keys you create (stored as a bcrypt hash; the raw key is shown only once)
  • Usage statistics (request counts per API key, per billing period)
  • Timestamps: account creation, last login, last API key usage

We do not collect passwords, payment information, or any data beyond what is necessary to operate the service.

3. How We Use Your Data

Your data is used exclusively to:

  • Authenticate you and maintain your session (JWT cookies)
  • Identify you when you make API calls with an API key
  • Enforce plan limits (free / pro / enterprise)
  • Display your profile in the account dashboard

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Cookies

We use the following cookies, all of which are strictly necessary for the service to function:

  • accessToken — HttpOnly JWT cookie containing your short-lived session (15 minutes by default).
  • refreshToken — HttpOnly JWT cookie used to obtain a new access token without re-authenticating (7 days by default).
  • csrf-token — Non-HttpOnly CSRF double-submit cookie (only set when CSRF protection is enabled).

These cookies are set only after you explicitly log in and are required for the service to work. No tracking or analytics cookies are used.

5. Data Retention

Your data is retained as long as your account is active. You can delete your account at any time via the Account page or by contacting us. Upon deletion all personal data is permanently removed from our database.

6. Your Rights (GDPR)

If you are located in the European Economic Area you have the following rights:

  • Access — request a copy of the data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data ("right to be forgotten").
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests.

To exercise any of these rights open an issue on GitHub or contact us directly.

7. Security

All data in transit is encrypted with TLS. Raw API keys are never stored — only a bcrypt hash is persisted. JWT secrets are environment-variable-managed and never committed to source control.

8. Changes to This Policy

We may update this policy occasionally. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after changes constitutes acceptance of the updated policy.

9. Contact

For privacy-related questions please open an issue on GitHub.