Skip to content

Credential Vault

The credential vault is Aigentic’s encrypted storage for all sensitive data. API keys, bot tokens, and other secrets are encrypted server-side before being stored. This page covers how the vault works and what it protects.

What Gets Stored in the Vault

Section titled “What Gets Stored in the Vault”
Data TypeExamples
AI provider API keysAnthropic, OpenAI, xAI, Z.AI, MiniMax keys
Channel bot tokensDiscord bot token, Telegram bot token
OAuth tokensSlack OAuth tokens
Skill credentialsThird-party service API keys used by skills
Webhook secretsSigning keys for outbound webhooks

Encryption

Section titled “Encryption”

All vault data is encrypted server-side. Credentials are:

  • Encrypted before being written to storage
  • Decrypted only when needed for API calls
  • Never exposed in the browser or frontend
  • Never logged in plaintext

Security Properties

Section titled “Security Properties”
  • Confidentiality — Encrypted data cannot be read without the decryption key.
  • Integrity — Any tampering with the stored data is detected.
  • Isolation — Each credential is independently encrypted.

Credential Lifecycle

Section titled “Credential Lifecycle”

Adding Credentials

Section titled “Adding Credentials”

When you add an API key or bot token:

  1. You enter the credential in the console.
  2. The credential is sent securely to the backend.
  3. It is encrypted and stored in the vault.
  4. The plaintext is never stored on the frontend.

Using Credentials

Section titled “Using Credentials”

When an agent needs a credential (e.g., to call an AI provider):

  1. The backend retrieves the encrypted credential from the vault.
  2. It is decrypted in memory.
  3. It is used for the API request (placed in the Authorization header).
  4. The decrypted value is not persisted.

Rotating Credentials

Section titled “Rotating Credentials”

To rotate a credential:

  1. Generate a new key/token from the provider.
  2. Update the credential in the Aigentic console.
  3. The old credential is replaced with the new one in the vault.
  4. The new credential takes effect immediately.

Removing Credentials

Section titled “Removing Credentials”

Deleting a credential removes it from the vault entirely. Any agents or channels that depend on it will stop functioning until a new credential is provided.

What Is NOT in the Vault

Section titled “What Is NOT in the Vault”

The vault stores only sensitive secrets. The following are stored separately:

  • Conversation history
  • Agent configuration (name, model, system prompt)
  • Application settings
  • Audit logs

Security Recommendations

Section titled “Security Recommendations”

  1. Use unique API keys — Generate a separate API key for Aigentic rather than reusing keys from other services. This makes rotation easier and limits blast radius.

  2. Rotate keys periodically — Update your credentials every 90 days or whenever you suspect exposure.

  3. Monitor provider dashboards — Check your AI provider’s usage dashboard for unexpected activity that might indicate a compromised key.

  4. Revoke immediately if compromised — If you suspect a key has been exposed, revoke it at the provider and add a new one to Aigentic.

  5. Use provider-level restrictions — Some providers allow IP allowlisting or rate limiting on API keys. Enable these for additional protection.