Skip to content
Security

Tenant API keys encrypted at rest

Workspace API keys are now AES-256-GCM encrypted before they touch the database. Dashboard sessions also stop surviving a closed tab.

Two changes that close long-standing hardening items.

  • Workspace API keys are encrypted at rest in the format ivHex:authTagHex:cipherHex. The same wrapper is reused everywhere we store a secret, so there is one cryptographic path to audit.
  • Reads are backward-compatible with legacy plaintext rows. If decryption ever fails, the read returns null rather than leaking the stored ciphertext through an error path.
  • Dashboard session tokens moved from localStorage to sessionStorage so they are scoped to the browser tab and do not survive a tab close.