Sessions & security
Per-account session isolation
Each account has its own persistent, isolated browser session (persist:{service}-{id} partition). Cookies, LocalStorage, IndexedDB, and cache are separated per account, so multiple accounts of the same service stay unmixed.
Login credentials (cookies, etc.) are stored only on your device. mokumokuren never sends them anywhere.
- Hiding a column preserves its session (it comes back signed in).
- Deleting an account permanently deletes its session data (irreversible).
MCP server safety
When MCP integration is enabled, the server listens under these conditions (see MCP integration):
- Bound to 127.0.0.1 (localhost only) — never exposed to the network.
- Requires a local token on every request.
- Origin validation (DNS-rebinding protection).
- Active only while the app is running.
Delivery and sending
Delivery only fills the compose form. You review and send the final post yourself on each SNS's web page. mokumokuren never sends a post automatically.
Billing (Pro)
- Card details are never handled by the app — payment happens in the external browser (Stripe).
- Authentication and entitlement are managed securely through Firebase.
Disclaimer
Because a desktop app runs locally, perfect copy protection isn't possible. Important protections are enforced by server-side verification.