Security

LarpTube stores passwords as password hashes, stores sessions as server-side records, and stores YouTube OAuth tokens encrypted with the server security secret before writing them to the local JSON database.

OAuth tokens are used only for the connected YouTube account actions shown in the user interface. The app does not expose tokens to the browser, does not sell tokens, and does not use tokens for unrelated background actions.

Creators can disconnect YouTube from Settings → Connected accounts, which removes the stored YouTube connection and encrypted OAuth token data from LarpTube.

This test build uses local persistent storage. Production deployments should keep SECURITY_SECRET stable, use HTTPS, restrict environment variable access, and use a persistent disk/database appropriate for production data.