Skip to main contentMint your token →Install guide →FAQ →
Security & privacy
Honest answers to the questions a security-conscious user should ask before installing a browser extension that touches sportsbook accounts. If something here is unclear, open an issue on the GitHub repo.
What the extension CAN see
- The HTML of the bet-history page on the 10 supported books, but only when you click the Sync button (no background scraping).
- The NuroPicks API token you paste into the popup (stored in chrome.storage.local; only this extension can read it).
- The URL of your active tab when you click Sync (used to verify you're on a supported book before scraping).
What the extension CANNOT see
- Your sportsbook password, 2FA code, saved cards, or banking info. Chrome's extension API does not give us access to login forms.
- Other tabs you have open. We requested only `activeTab` and the 10 host permissions you see in the manifest.
- Browsing history, bookmarks, downloads, or cookies for any other site.
- Your IP address (the extension never makes a network call from your context that exposes it differently than normal browsing already does).
What goes over the wire
Per bet, the extension POSTs tonuropicks.com/api/account/booksync/importwith a body containing:
- book_source (e.g. "draftkings")
- book_external_id (the book's own bet/entry/ticket id, used for dedup)
- stake (in cents)
- odds_american
- market, pick_text, sport, game
- result (win/loss/push/pending), settled_at
- potential_win (in cents)
- placed_at
That's it. No browser metadata, no device fingerprint, no cookies, no IP-based tracking, no session token from the book. The HTTP request is signed with your NuroPicks token in the Authorization header.
Token: what it is, what it can do
- Issued at /account/booksync, shown exactly once, then only the SHA-256 hash is persisted server-side.
- Scope: append bets to YOUR ledger only. Cannot read other users' data, cannot mint other tokens, cannot place real-money bets.
- Per-device labels (e.g. "home laptop", "work"). Revoke any one without affecting the others.
- Lost a device? Revoke the token. The thief now holds an inert string.
What happens during a NuroPicks breach
Worst-case scenario, an attacker gains read access to our Postgres:
- They DO see: the hashed (SHA-256) form of your tokens, your imported bet rows, your discord_id linkage.
- They DO NOT see:your sportsbook credentials (we never had them), your actual token (only the hash), your funding sources, or the token of any other user.
Recovery posture: bulk token rotation via a one-line UPDATE on np_booksync_keys.revoked_at. Users mint fresh tokens, paste them into the extension popup, sync continues.
Audit it yourself
- Extension source: github.com/davidolverson/nuropicks/extensions/booksync
- Selector strategy + rot risk: SCRAPER-AUDIT.md
- Live system status: /booksync/status
- Public anonymized recent imports: /api/booksync/recent
Must be 21+. Gambling problem? Call 1-800-GAMBLER. NJ/PA: 1-800-GAMBLER · MI: 1-800-270-7117 · VA: 1-888-532-3500 · CO: 1-800-522-4700 · NY: 877-846-7369 (HOPENY).
NuroPicks LLC · 30 N Gould St Ste R, Sheridan, WY 82801