Digital FaceDocs
HomeDashboardGet Started

Security

Digital Face is designed with security first. Here is how we protect your ad accounts and data at every layer.

OAuth 2.1 + PKCE

We use the latest OAuth 2.1 standard with Proof Key for Code Exchange (PKCE) to authenticate with Google and Meta. This is the most secure OAuth flow available.

How the flow works

  1. Authorization request: When you click "Connect Google Ads," we redirect you to Google's OAuth consent screen. A unique PKCE code challenge is generated for each session.
  2. User consent: You grant specific permissions (read campaigns, manage budgets, etc.) directly on Google's domain. We never see your Google password.
  3. Token exchange: Google returns an authorization code. We exchange it for access and refresh tokens using the PKCE code verifier, proving the request originated from us.
  4. Token storage: Tokens are encrypted with AES-256-GCM before being stored. The encryption key is stored separately from the database.

Why PKCE matters: PKCE prevents authorization code interception attacks. Even if an attacker captures the authorization code during the redirect, they cannot exchange it for tokens without the code verifier.

Token Encryption

All OAuth tokens (access tokens and refresh tokens) are encrypted at rest using AES-256-GCM, the same encryption standard used by banks and government agencies.

AES-256-GCM

256-bit encryption with Galois/Counter Mode. Provides both confidentiality and authentication -- any tampering is detected.

Key Management

Encryption keys are stored in environment variables, separate from the database. Keys are rotated periodically.

Unique IVs

Each token is encrypted with a unique initialization vector (IV), ensuring identical tokens produce different ciphertext.

Decryption on Demand

Tokens are only decrypted in memory when an API call to Google or Meta is needed, and never logged.

Safety Model

Digital Face is designed to prevent accidental damage to your ad accounts. Multiple layers of protection are built into every write operation.

Campaigns Created PAUSED

Every campaign created through Digital Face starts in a PAUSED state. No money is spent until you explicitly enable the campaign. This gives you time to review targeting, bids, and creatives before going live.

Budget Guardrails

Budget adjustments are capped at 50% change per call. If a campaign currently has a $100/day budget, the maximum new budget in a single adjustment is $150/day. This prevents runaway spending from a misunderstood command.

User Confirmation

Write operations go through MCP's tool-use protocol, which means your AI client displays what the tool will do before executing it. You always have the chance to cancel.

Data Flow

We follow a principle of minimal data storage. Here is exactly what we store and what we do not.

What We Store

  • Encrypted OAuth tokens (access + refresh)
  • Account connection metadata (platform, account ID)
  • Tool call logs (tool name, timestamp, success/fail)
  • Your email address and plan information

What We Do NOT Store

  • Your Google or Meta passwords
  • Ad campaign data (stays with Google/Meta)
  • AI conversation history
  • Your ad creative content or landing pages

Data in transit: All API calls are made over HTTPS/TLS 1.3. Data fetched from Google or Meta is returned directly to your AI client through the MCP response and is not cached on our servers.

Revoking Access

You can revoke Digital Face's access to your ad accounts at any time through two methods.

From Digital Face

  1. Go to Dashboard > Ad Accounts
  2. Click Disconnect next to the account
  3. Confirm the disconnection
  4. Your OAuth tokens are immediately deleted from our database

From Google / Meta

You can also revoke access directly from the platform:

  • Google: Go to myaccount.google.com > Security > Third-party apps with account access and remove Digital Face
  • Meta: Go to facebook.com/settings > Apps and Websites and remove Digital Face

API Key Security

API keys provide programmatic access to the MCP endpoint. Follow these best practices to keep them safe.

Store securely

Keep API keys in environment variables or a secret manager. Never commit them to source control.

Use descriptive names

Name keys after their purpose (e.g., "production-mcp", "staging-test") to make rotation easier.

Rotate regularly

Create a new key and delete the old one periodically. You can have multiple active keys during rotation.

Delete unused keys

If a key is no longer needed, delete it immediately from Dashboard > API Keys.

Monitor usage

Check the Usage page to spot unexpected tool call patterns that could indicate a compromised key.