Security & credentials
Encryption, auth, audit logs, key rotation, and production hardening.
Overview
API keys are encrypted at rest with AES-256-GCM. Decryption happens only in memory during billing sync. Every decrypt event is audit-logged without storing the secret.
Credential flow
- 1
Server-side connect
Keys travel from the form to a Next.js Server Action — never stored in the browser or localStorage.
- 2
Immediate encryption
The connectors service encrypts with AES-256-GCM using an environment master key (AWS KMS in production).
- 3
Isolated sync
Only the sync worker decrypts in memory, calls provider billing APIs, and discards the plaintext.
- 4
No re-exposure
The API never returns the full key — only a masked fingerprint.
Platform controls
- AES-256-GCM at rest — Active
- JWT gateway auth — Active
- Workspace isolation — Active
- Credential audit log — Active
- Gateway rate limiting — Active
- Key rotation (primary + previous ring) — Ready
- AWS KMS (ENCRYPTION_KEY_PROVIDER=kms) — Ready
- TLS via nginx (BEHIND_TLS=true) — Ready
What we never do
- Store keys in plain text
- Include secrets in logs or error messages
- Proxy your production API traffic
- Request write permissions when read-only billing suffices
- Share credentials across workspaces
Audit log
Decrypt, store, remove, and re-encrypt events are recorded with workspace, connector, provider, actor, and timestamp. View the live log in the app under Security → Trust center.
Encryption key rotation
Production deployments support primary and previous encryption keys for zero-downtime rotation. Credentials are re-encrypted through an admin operation — contact security@apiwhere.com for enterprise rotation runbooks.
Production posture
- AES-256-GCM encryption at rest with optional KMS-backed master keys
- TLS for all client and service-to-service traffic
- Workspace-isolated JWT auth on every API call
- Credential decrypt audit log with actor and timestamp
- Quarterly key rotation recommended for regulated environments