Velyra

Security

Practical safeguards for a personal system.

Velyra keeps authentication, sessions, ownership, and integration tokens server-side and scoped to the current user.

Authentication and sessions

Private app pages require a server-side session before rendering.

  • Better Auth manages email/password and optional Google Login.
  • Sessions are stored in PostgreSQL.
  • Private routes derive ownership from the authenticated request scope.

Google Calendar

Google Calendar access is isolated from public pages and protected server-side.

  • Calendar tokens are encrypted before storage.
  • Velyra uses minimum permissions for calendar list and event sync.
  • Disconnect clears stored token fields and disables sync.

Operational limits

The beta avoids irreversible or payment-risk actions.

  • No public payment activation.
  • No production billing without legal/fiscal approval.
  • No secrets are written to public docs, exports, logs, or browser variables.