Your data is safe with us
Security is a core part of how Moni Budget is built, not an afterthought. Here's what we do to protect your data.
Passwords are hashed with bcrypt before storage. We never store plain-text credentials.
Protect your account with TOTP-based 2FA using any authenticator app (Google Authenticator, Authy, etc.).
All traffic is served over HTTPS with TLS. Data in transit is always encrypted.
Your financial data is never sold to third parties.
Our security practices
Session management. Sessions are signed with a secret key and expire after a configurable inactivity period. Session tokens are stored as httpOnly cookies to prevent client-side JavaScript access.
Authentication flow. Moni Budget uses NextAuth v5 with a credentials provider. The two-phase login (password → TOTP) ensures that stolen passwords alone are not enough to access an account with 2FA enabled.
Data isolation. Every query is scoped to the authenticated user's ID. It is not possible to read or modify another user's data through the API.
Open source. The application code is open source. You can audit it, self-host it, or contribute improvements.