powerhour
Security

Security built into thedata layer, not bolted on.

Security controls are designed into the data flow, agent access, and API surface — not added as an afterthought.

Controls

Five security layers

01

AES-256-GCM token encryption

Plaid access tokens are encrypted at rest using AES-256-GCM. Keys never leave the server environment.

const ALGORITHM = "aes-256-gcm";
const IV_LENGTH  = 12;  // GCM recommended
const TAG_LENGTH = 16;  // integrity tag

const iv     = randomBytes(IV_LENGTH);
const cipher = createCipheriv(ALGORITHM, key, iv);
const authTag = cipher.getAuthTag();

// stored as iv:ciphertext:authTag
02

Database-layer agent boundaries

Agent tool access is constrained through database views that exclude sensitive columns from AI context.

CREATE VIEW agent_accounts_view AS
SELECT
  id, name, type, subtype,
  current_balance, available_balance,
  credit_limit, is_active
FROM accounts
WHERE is_active = true;

-- plaid_access_token: EXCLUDED
-- sync_cursor:        EXCLUDED
03

Layered rate limiting

Independent rate limits on login, chat, reports, and global API traffic prevent abuse at each surface.

login:    5 req  / 15 min
sync:     3 req  / 15 min
chat:    20 msg  /  1 min
planner:  3 runs /  1 hr
reports:  5 req  /  1 min
04

Webhook signature verification

Plaid webhooks are verified with JWT signature and body-hash checks before any processing occurs.

const signedJwt = headers["plaid-verification"];

// 1. verify JWT signature (SHA256 + ECDSA)
crypto.verify("SHA256", data, publicKey, sig);

// 2. verify body integrity
const hash = crypto.createHash("sha256")
  .update(body).digest("base64url");
return payload.request_body_sha256 === hash;
05

Audit log for security events

Critical account and security events (login, token exchange, deletions) are recorded with IP and timestamp.

type AuditAction =
  | "login"
  | "password_change"
  | "institution_link"
  | "institution_delete"
  | "report_download";

// failures never block the primary action
await db.insert(auditLog)
  .values({ action, ip, metadata });
Your responsibility

Deployer checklist

Powerhour handles application-level security. These infrastructure concerns are on you.

  • Serve the application over HTTPS with a valid TLS certificate.
  • Rotate SESSION_SECRET and Plaid credentials periodically.
  • Keep Node.js and npm dependencies up to date with security patches.
  • Restrict database network access to the application host only.

Your data never leavesyour infrastructure.

Every security control is open source. Read the implementation, audit the code, verify the claims.

Read the sourceSelf-hosting guide