Skip to content

Advanced API Security

Overview

Advanced API Security explains how UnoLock protects application traffic between the client and the UnoLock service.

This page matters because there is often confusion between:

  • TLS transport encryption
  • client-side encrypted stored data
  • end-to-end encrypted application payloads

UnoLock does not rely on TLS alone as the full explanation of API confidentiality. API traffic also uses application-layer protection so that protected payloads are not treated as ordinary plaintext requests moving over HTTPS.

How It Works

  • TLS 1.3 transport security: the network channel is protected against passive interception and standard transport-layer attacks.
  • Protected application payloads: sensitive API data is protected at the application layer rather than relying only on HTTPS transport.
  • Client-side encryption before storage: when the API is carrying Safe data for storage, that data has already been encrypted client-side before upload.
  • Endpoint-oriented design: the API exists to move protected data between the UnoLock client and service boundary without turning the server into a plaintext trust anchor for normal storage flows.
  • Authentication separate from encryption: WebAuthn access keys authenticate users, while encryption protects data payloads.

Security Implications

  • Transport plus payload protection: attackers do not get ordinary plaintext API data simply because they can observe the network path.
  • Lower server trust requirements: protected payload handling reduces unnecessary plaintext exposure in backend systems.
  • Cleaner threat separation: transport encryption, application payload encryption, authentication, and client-side stored-data encryption each do a different job.

Use Cases

  • Normal Safe sync and access: records and files move through the API without requiring plaintext trust in the transport path alone.
  • Untrusted network access: the combination of TLS and protected application payloads hardens communication over hostile or shared networks.
  • Regulated environments: security teams can distinguish between storage encryption, transport encryption, and endpoint-to-endpoint payload protection.

Why It Matters

If people hear "the data is client-side encrypted" they may still ask what protects API traffic. If they hear "the API uses HTTPS" they may still ask whether payloads are protected beyond transport. This page answers that gap: UnoLock protects API traffic as part of a layered model, not as a single control.

FAQs

Is UnoLock API security just HTTPS?

No. TLS is one layer, but UnoLock also protects sensitive API payloads at the application level and uses client-side encryption for stored Safe data.

Is API encryption the same thing as client-side encryption?

No. Client-side encryption protects data before upload and at storage time. API encryption protects the communication path and protected payload exchange.

Does UnoLock use passwords as the main secret for API security?

No. UnoLock uses WebAuthn-based authentication for normal Safe access. Password-style secrets are not the normal root of trust for Safe data or API protection.

Compliance & Privacy Regulations

  • GDPR & HIPAA Compliance: layered transport and payload protection help reduce unnecessary exposure of personal and sensitive data during transmission.

Integration with Other Features

  • Client-Side Encryption Using AES-256 GCM: protects stored Safe data before it is sent through the API.
  • End-to-End Encryption: explains the broader endpoint-to-endpoint protection model used across messaging and protected API flows.
  • Commitment to Anonymity and Data Privacy: reduces linkable exposure while protected data moves through the service.