apiwhere

Security

Read-only
by design.

APIWhere reads billing and usage from your providers on a schedule. Your application traffic never routes through us — credentials exist to sync invoices and meters, not to call your APIs in production.

Controls

What we implement today

At rest
AES-256-GCM in Postgres. Plaintext keys are not written to disk.
In use
Decrypted in memory during a sync job, then discarded. Decrypt events are audit-logged.
In transit
TLS between browser, frontend, gateway, and connectors service.
Access
JWT per workspace. Gateway auth on every API call. No cross-tenant reads.

Credential flow

From connect
to sync.

Four steps. No hidden paths.

  1. 01

    Sign in

    Google or GitHub OAuth when your workspace access opens. Session is a signed JWT — API keys are not kept in the browser.

  2. 02

    Connect

    Keys are submitted via a server action to the gateway over TLS. The client never persists them.

  3. 03

    Encrypt

    Connectors service encrypts with AES-256-GCM before writing to Postgres. Production can use a KMS-backed master key.

  4. 04

    Sync

    On schedule, a job decrypts in RAM, calls the provider billing API, writes normalized spend/usage, and exits.

Scope

What we touch
and what we don't.

In scope

  • Provider billing and usage endpoints (invoices, CUR, metered usage)
  • Scheduled sync jobs initiated by APIWhere
  • Encrypted credential storage for connectors you attach
  • Audit log of credential decrypt and connector changes

Out of scope

  • Proxying or inspecting your app → provider requests
  • Storing production payloads, prompts, or customer data
  • Write access to cloud infrastructure beyond billing read APIs
  • Returning raw API keys to the browser after connect

Common questions

Do you store my API keys?

Yes — encrypted. They are required to pull billing on your behalf. We do not store plaintext and we do not echo keys back in the UI or API responses.

Can APIWhere see my production traffic?

No. We call billing and usage endpoints only. Traffic between your services and OpenAI, Stripe, AWS, etc. does not pass through APIWhere.

What permissions do connectors need?

Read-only billing or usage scopes where the provider allows it. Each integration documents the minimum scopes in Connectors and in the docs.

How do I revoke access?

Disconnect the provider in Connectors. The encrypted credential is deleted and scheduled sync stops on the next cycle.

Questions? security@apiwhere.com · hello@apiwhere.com · Documentation