Security

Your account.
Always yours.

XPilot needs access to your X account to do its job. Here's exactly how that works, what we can see, what we store, and how you stay in control.

TL;DR

·Your X password is never seen or stored by XPilot.
·We use X's official OAuth 2.0, no custom login workarounds.
·We only request the 3 minimum scopes we actually need.
·Your access token is encrypted at rest.
·You can disconnect in one click, anytime.
·We do not access your DMs.

OAuth 2.0, no password ever

XPilot connects to your X account using X's official OAuth 2.0 flow, the same standard used by major apps. You authorize access on X's own page. Your X password is never entered into XPilot, never seen by XPilot, and never stored anywhere in our system.

Minimum permissions

XPilot requests only the scopes it actually needs: tweet.read (to pull your analytics and timeline), tweet.write (to post and delete scheduled tweets), and users.read (to access your profile). That's it. XPilot does not request access to your DMs.

Encrypted token storage

Your X access token is stored encrypted at rest. Tokens are never logged, never exposed in API responses, and never sent to third parties. They are used only to make API calls on your behalf.

Encrypted connections

All traffic between your browser and XPilot, and between XPilot and the X API, uses TLS. No data is transmitted over unencrypted connections. We enforce HTTPS site-wide.

Revoke access anytime

You can disconnect XPilot from your X account at any moment, either from your XPilot account settings or directly from X's Connected Apps page (x.com > Settings > Security > Connected Apps). The moment you revoke, XPilot loses all ability to post or read your account.

How the OAuth connection works

You click "Connect X"

Inside XPilot, you click the connect button. XPilot generates a secure OAuth 2.0 authorization URL and redirects you to X.

X asks you to authorize

You see X's standard authorization screen listing the exact scopes XPilot is requesting. You are on X's domain, not XPilot's.

You approve

You click Authorize. X generates an access token and returns you to XPilot via a secure callback URL.

Token is stored encrypted

XPilot receives the token, encrypts it immediately, and stores only the encrypted version.

XPilot acts on your behalf

When XPilot needs to post a tweet or read analytics, it uses the token to make the X API call on your behalf.

What data XPilot stores

Data	Stored?	Notes
X password	Never	Not even seen
X access token	Yes, encrypted	Encrypted at rest, never exposed
Your tweet analytics	Yes	Used for adaptation
Generated posts	Yes	Deleted with account
Onboarding preferences	Yes	Your voice profile
DMs	No	Not requested or accessed
Payment info	No	Handled by Stripe

Have a security question?

If you have a concern, found a vulnerability, or just want to know more about how something works, reach out directly.

DM @alexcloudstar on X

Confident in how we handle your account?

Get started

Your account.Always yours.