apiwhere

Security & credentials

Encryption, auth, audit logs, key rotation, and production hardening.

Overview

API keys are encrypted at rest with AES-256-GCM. Decryption happens only in memory during billing sync. Every decrypt event is audit-logged without storing the secret.

Credential flow

  1. 1

    Server-side connect

    Keys travel from the form to a Next.js Server Action — never stored in the browser or localStorage.

  2. 2

    Immediate encryption

    The connectors service encrypts with AES-256-GCM using an environment master key (AWS KMS in production).

  3. 3

    Isolated sync

    Only the sync worker decrypts in memory, calls provider billing APIs, and discards the plaintext.

  4. 4

    No re-exposure

    The API never returns the full key — only a masked fingerprint.

Platform controls

  • AES-256-GCM at rest — Active
  • JWT gateway auth — Active
  • Workspace isolation — Active
  • Credential audit log — Active
  • Gateway rate limiting — Active
  • Key rotation (primary + previous ring) — Ready
  • AWS KMS (ENCRYPTION_KEY_PROVIDER=kms) — Ready
  • TLS via nginx (BEHIND_TLS=true) — Ready

What we never do

  • Store keys in plain text
  • Include secrets in logs or error messages
  • Proxy your production API traffic
  • Request write permissions when read-only billing suffices
  • Share credentials across workspaces

Audit log

Decrypt, store, remove, and re-encrypt events are recorded with workspace, connector, provider, actor, and timestamp. View the live log in the app under Security → Trust center.

Encryption key rotation

Production deployments support primary and previous encryption keys for zero-downtime rotation. Credentials are re-encrypted through an admin operation — contact security@apiwhere.com for enterprise rotation runbooks.

Production posture

  • AES-256-GCM encryption at rest with optional KMS-backed master keys
  • TLS for all client and service-to-service traffic
  • Workspace-isolated JWT auth on every API call
  • Credential decrypt audit log with actor and timestamp
  • Quarterly key rotation recommended for regulated environments