Security Practices

All credentials stored in Token Vault are encrypted using AES-256-GCM, an authenticated encryption algorithm that provides both confidentiality and integrity. Each token is encrypted with a unique nonce, preventing pattern analysis across stored credentials.

All communication with Token Vault uses TLS 1.3. API endpoints enforce HTTPS. HSTS headers with preload are served on all responses to prevent protocol downgrade attacks.

In webhook-sovereign mode, your webhook server owns the encryption key. Token Vault only stores encrypted blobs and metadata. It is mathematically impossible for Token Vault to decrypt your credentials without your webhook's active cooperation. Take the webhook offline and all access stops instantly.

Agent API keys are scoped and time-limited. Each agent receives only the specific credentials it needs, with automatic expiry. ABAC (Attribute-Based Access Control) policies enable fine-grained rules including time windows, IP allowlists, rate limits, geo-restrictions, and manual approval flows.

Every credential access, agent grant, policy evaluation, and administrative action is recorded in an immutable audit log. Review who accessed what, when, and from where in the dashboard.

Token Vault runs on Google Cloud Platform. The backend API is deployed on Cloud Run with automatic scaling and isolation. Data is stored in Firestore with Google-managed encryption at rest. Authentication is handled by Firebase Auth. All infrastructure is in the europe-west4 region.

In webhook mode, taking your webhook server offline immediately disables all access to your credentials. No one, including Token Vault, can decrypt anything without your webhook's cooperation. Bring it back online and everything resumes instantly. This is by design.