Security is the product, not a feature.
Paamship handles real orders for real businesses. We treat every credential and every customer record with the care that demands.
OAuth 2.0 with PKCE
Shops are connected through Etsy’s official OAuth flow using PKCE. We never see or store your Etsy password, and you can revoke access at any time from your Etsy account.
AES-256-GCM encryption at rest
Every access and refresh token is encrypted with authenticated AES-256-GCM before it touches the database. Decryption happens only inside secured server processes.
Secrets stay server-side
API keys, tokens, and signing secrets are never exposed to the browser or returned in any client response. They live only in the server runtime.
HMAC-verified webhooks
Every inbound event is verified with an HMAC signature and a strict timestamp window to prevent replay attacks. Unverified payloads are rejected outright.
Least-privilege scopes
We request only the permissions shipping requires. No listing access, no billing access, and no buyer email addresses — by design, not by promise.
Tenant isolation
Each connected shop’s credentials and data are strictly isolated. One shop’s token is never used to access another shop’s data.
Responsible disclosure
Found a vulnerability or have a security question? We want to hear from you. Email support@paamship.com and we’ll respond promptly.