Encrypted data transport

ExpanDrive utilizes Transport Layer Security (TLS) wherever possible to ensure secure encrypted data transport. In fact, most cloud storage APIs require this. The only exception is plain unencrypted FTP, which transports data and credentials in plain text. It is strongly recommended you use FTPS or SFTP (SSH transport).


Security is a critical component of ExpanDrive. ExpanDrive is client-only software, which means it lives only on your computer and it communicates directly with your server or to your cloud storage service of choice. We maintain no intermediate server and never have access to any of your credentials or login tokens. It’s a direct connection between you and your data, nothing else. Passwords and API tokens are securely stored on your machine in the macOS keychain or the Windows Credential Vault.

Understanding OAuth 2

Many cloud storage services utilize the OAuth 2 protocol to authenticate users and provide applications like ExpanDrive an API key for usage. ExpanDrive opens an embedded web browser connecting you to directly to Microsoft, Google, and others so that you can authenticate directly with them without the ExpanDrive app ever needing to capture and save your credentials. It also allows existing multifactor authentication flows and SSO setups like ADFS, Okta, Duo and others to work seamlessly without any special setup. At the end of the embedded web-based authentication step the OAuth server issues and API key which ExpanDrive securely stores on your machine.

Authentication walk-through

In this example we are showing Google Drive but the process is the same for Google Drive, OneDrive, Dropbox, Box, Hubic, OneDrive for Business.

A user first authenticates themselves by connecting directly to Google via an embedded web browser view. The ExpanDrive app never captures the user’s credentials.

The user now grant’s API access to the ExpanDrive app – this allows the ExpanDrive app to read and write from the user’s Google Drive account on behalf of the user. This is how ExpanDrive is able to transform for Google Drive account into a virtual drive.


Now that a user has authenticated, we store the API key securely. The default location is to store the API in the system Keychain on the Mac or encrypted in the Microsoft Windows Credential Manager. There are other options available for customized builds to store the API key in a centrally managed location, please contact support if you’re interested. ExpanDrive, Inc. never has access to a user’s API key or credentials, nor does it have the ability to access them.


The storage service API enforces all of the permissions and settings for a given user. ExpanDrive can only see what files and folders a user has access to, and nothing else. We present the data provided via the API.

Questions? Ask away

Security is an important and often complicated topic, if you have any questions don’t hesitate to email

Last updated