Is Yoto Guardian Safe? Security and Privacy for Parents

Yoto Guardian is built by parents, for parents. Security and privacy are treated as core requirements, not afterthoughts. This page documents the specific measures in place to protect your Yoto account credentials, your Guardian account, and your family's data.

How Yoto Account Access Works

Yoto Guardian connects to your Yoto account using OAuth with PKCE (Proof Key for Code Exchange) — the same authentication method used by the official Yoto app. During the linking process, you log in to Yoto directly on Yoto's own website. Yoto Guardian never sees your Yoto password.

After authorization, Yoto issues OAuth access tokens to Yoto Guardian. These tokens are what Guardian uses to communicate with the Yoto API on your behalf. You can re-link your Yoto account from Settings, and support can assist with account disconnection requests.

AES-256-GCM Encryption for Stored Tokens

Yoto OAuth tokens are encrypted using AES-256-GCM before being stored in the database. AES-256-GCM is an authenticated encryption standard — it both encrypts the data (making it unreadable without the key) and verifies its integrity (detecting any tampering).

If you use the optional AI metadata features in the Library Manager, your Anthropic or OpenAI API keys are also encrypted with AES-256-GCM before storage. You can delete stored API keys at any time from Settings.

JWT Authentication with Short Expiry

Yoto Guardian uses JWT (JSON Web Token) access tokens for session management:

• Access tokens expire after 15 minutes, limiting the window of exposure if a token were compromised
• Refresh tokens last 7 days and are rotated on each use — the old refresh token is invalidated when a new one is issued
• Refresh token reuse detection: if a refresh token is used more than once (which would indicate a stolen token), the entire token family is revoked, forcing re-authentication

Session tokens are stored in httpOnly, secure cookies — they are not accessible to JavaScript on the page, protecting against cross-site scripting (XSS) attacks.

CSRF Protection

All state-changing requests (POST, PUT, DELETE, PATCH) require a CSRF (Cross-Site Request Forgery) token in addition to the session cookie. The CSRF token is HMAC-SHA256 signed and validated on the server. This prevents malicious websites from making unauthorized requests using your session. GET and HEAD requests are exempt since they do not modify data.

HTTPS and Data in Transit

All communication between your browser and Yoto Guardian servers uses HTTPS with TLS encryption. All communication between Yoto Guardian's servers and Yoto's cloud API also uses HTTPS. No data is transmitted over unencrypted connections.

Password Security

Yoto Guardian account passwords are hashed using industry-standard one-way hashing algorithms before storage. Plain-text passwords are never stored or logged.

Children's Privacy

Yoto Guardian is designed for parents and caregivers, not children. The service does not collect personal information directly from children. Account creation and management is performed by the parent or caregiver.

The only child-related data stored is:

• Device names and identifiers (from the parent's Yoto account)
• Playback events (what card was playing, track changes, play/pause events)
• Daily listening time totals
• Device configuration (quiet time schedules, daily limits, playback rules)

This data is necessary to enforce parental controls and display the listening dashboard. We do not knowingly collect personal information from children under 13.

Cookies

Yoto Guardian itself uses essential first-party cookies only: an authentication session token (httpOnly, secure, not accessible to JavaScript) and a CSRF token (readable by JavaScript on the same origin, required for request validation). We do not use first-party tracking or advertising cookies. Marketing pages also embed a Ko-fi donation widget, and that third-party service may set cookies under its own domain and privacy policy.

Data Sharing

Yoto Guardian does not sell, rent, or trade your personal information. Data is shared only in these limited circumstances:

• With Yoto's API: To operate the service, commands are sent to and data is received from Yoto's cloud infrastructure using your OAuth tokens.
• With AI providers (optional): If you use AI-powered library features, audiobook metadata may be sent to Anthropic or OpenAI using your configured key, or via Yoto Guardian-provided access when available.
• Legal requirements: When required by law or legal process.

Your Data Controls

• Delete account: Request account and data deletion by contacting [email protected].
• Yoto account connection: You can re-link your Yoto account from Settings. For account disconnection requests, contact [email protected].
• Delete AI API keys: Remove stored AI keys at any time from Settings.
• Data export: Contact [email protected] to request a copy of your data.

Independent Product

Yoto Guardian is an independent product built by Coe Code LLC. It is not made by, endorsed by, or affiliated with Yoto Ltd. It connects to Yoto's official cloud API using the same OAuth mechanism as the official Yoto app. Coe Code LLC is based in Missoula, Montana, USA. Questions or concerns about security can be sent to [email protected].

Frequently Asked Questions