# Security ExpanDrive versions 2025 and earlier do not store your credentials (passwords, keys, and authentication tokens) in the Cloud. They are always stored on your machine in the [macOS keychain](https://support.apple.com/guide/keychain-access/what-is-keychain-access-kyca1083/mac) or the [Windows Credential Vault](https://support.microsoft.com/en-us/help/4026814/windows-accessing-credential-manager). We never have access to your credentials. We are working on a Web-based client for ExpanDrive that we intend to release in 2026. When we do, we will begin to store your credentials in the Cloud. We will provide clear notice when this transition occurs. ## Encryption ExpanDrive uses Transport Layer Security (TLS) wherever possible to encrypt data in transit. The only exception is plain unencrypted FTP, which transports data and credentials in plain text. Use FTPS or SFTP (SSH transport) instead of unencrypted FTP. ## Understanding OAuth2 Many cloud storage services use the OAuth2 protocol to authenticate users and issue applications like ExpanDrive an API key. ExpanDrive opens an embedded web browser that connects you directly to Microsoft, Google, Box, Dropbox, and others so that you authenticate with them. The ExpanDrive app never sees your credentials. After the embedded web-based authentication, the OAuth2 server issues a key that is stored on your machine. For Mac, this is the system keychain; on Windows, the Microsoft Windows Credential Manager. ExpanDrive never has access to the credentials you supply during the OAuth authentication process. OAuth authentication supports multi-factor authentication (MFA) flows and SSO like ADFS, Okta, Duo, and others with no additional setup. ### OAuth2 Walk-Through This example shows Google Drive, but the process is the same for OneDrive, OneDrive for Business, SharePoint, Dropbox, and Box. ![Authentication is performed using an embedded browser.](/files/-M1WRucvd13C0bM3ZIkj) ExpanDrive starts the authentication by connecting directly to Google via an embedded web browser view. The ExpanDrive app never captures the user's credentials. ![After authentication a user authorizes ExpanDrive to have API access](/files/-M1WRxvqD1I4ySXdGEEg) The web-based authentication grants the ExpanDrive app access to read and write from the user's Google Drive account on behalf of the user. New credentials (tokens or API keys) are created by Google to represent this grant. This is how ExpanDrive transforms a Google Drive account into a virtual drive. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.expandrive.com/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.