Security Practices

In webhook-sovereign mode your webhook encrypts credentials with a key it alone holds, using AES-256-GCM with a unique nonce per credential. Token Vault never performs the encryption and never holds the key — it stores only opaque blobs and metadata it cannot read. The encryption key never leaves your server.

All communication with Token Vault uses TLS 1.3. API endpoints enforce HTTPS. HSTS headers with preload are served on all responses to prevent protocol downgrade attacks.

In webhook-sovereign mode, your webhook server owns the encryption key. Token Vault only stores encrypted blobs and metadata. It is mathematically impossible for Token Vault to decrypt your credentials without your webhook's active cooperation. Take the webhook offline and all access stops instantly.

Agent API keys are scoped and time-limited. Each agent receives only the specific credentials it needs, with automatic expiry. Policies enable fine-grained rules including time windows, IP allowlists, rate limits, geo-restrictions, and manual approval flows.

Every credential access, agent grant, policy evaluation, and administrative action is recorded in an immutable audit log. Review who accessed what, when, and from where in the dashboard.

Token Vault runs on Google Cloud Platform. The backend API is deployed on Cloud Run with automatic scaling and isolation. Control-plane data (identities, grants, policies, and audit metadata) is stored in Firestore with Google-managed encryption at rest — credentials never touch Token Vault's database. Authentication is handled by Firebase Auth. All infrastructure is in the europe-west4 region.

In webhook mode, taking your webhook server offline immediately disables all access to your credentials. No one, including Token Vault, can decrypt anything without your webhook's cooperation. Bring it back online and everything resumes instantly. This is by design.