Skip to main content
Swiftgum ensures that tokens (user OAuth tokens) and API credentials (e.g., client secrets) are stored in an encrypted format—minimizing risk even if the database is compromised.
Why Encryption Matters Storing tokens in plaintext is a major security risk. Swiftgum uses an encryption key to scramble all sensitive fields, preventing unauthorized use or exposure.
Implementation DetailsMaster Encryption Key
  • Configured via ENCRYPTION_KEY (or a secrets manager if self-hosted).
  • Used to encrypt/decrypt fields such as encrypted_tokenset and encrypted_credentials.
AES-256 (Recommended)
  • We default to strong ciphers (AES-256-GCM or AES-256-CBC) to ensure secure encryption.
  • A unique Initialization Vector (IV) is generated for each record.
Secure Storage
  • Depending on your deployment, encrypted fields may live in Postgres or a dedicated vault.
  • No plaintext secrets are written to logs or public console output.

Strong Cipher

AES-256-GCM / AES-256-CBC ensures robust encryption.

Unique IV

Each record gets its own initialization vector.
All Swiftgum endpoints must be accessed via HTTPS. This ensures that data in transit (including tokens) isn’t exposed to eavesdroppers or man-in-the-middle attacks.
  • Custom SSL: For self-hosted setups, add an SSL certificate to your server or load balancer.
  • Cloud: Swiftgum Cloud enforces TLS by default.
Key Generation
  • Use a strong, randomly generated string for your ENCRYPTION_KEY.
  • Avoid guessable passphrases or storing the key in source control.
Rotation
  • Periodically rotate your encryption key.
  • Swiftgum provides a tool/CLI to re-encrypt existing records with a new key.
  • Warning: Ensure you have backups and a tested rotation process to avoid data loss.
  • Admin-Only: Only administrators can configure or rotate encryption keys.
  • Zero-Knowledge: The raw key is never displayed in the admin UI or logs.
  • Encryption Logs: When specific fields are decrypted or re-encrypted, an event is recorded.
  • Compliance: Strong encryption supports compliance with GDPR, HIPAA, and SOC 2 data security requirements.
After ensuring your tokens and credentials are protected at rest (and in transit), review our RBAC & Permissions guide for more details on controlling data access.