Skip to main content

Secure Credential Management in AxonOS

AxonOS is designed with strong, zero-trust principles to protect user credentials. This document outlines how credentials are encrypted, stored, and accessed — and why users can trust AxonOS with sensitive data.

Why Your Credentials Are Safe​

End-to-End Encryption​

  • Secrets (API keys, passwords) are encrypted client-side using a secure public key before being transmitted.
  • The backend never sees your credentials in plaintext at any point.

Public/Private Key Separation​

  • Each user has a unique asymmetric key pair.
  • The public key is shared with the browser to encrypt data.
  • The private key remains securely stored and inaccessible outside the backend.

Secure Storage with Vault​

  • Encrypted secrets are stored in a dedicated HashiCorp Vault instance.
  • Vault ensures:
    • Strict access control
    • Time-limited, revocable tokens
    • Storage encryption at rest
    • Audit logs and seal/unseal control

Zero Knowledge Architecture​

  • The platform is architected to know nothing about your credentials.
  • Decryption occurs only at runtime, only for authorized workflows, and only inside a secure container.
  • Even platform admins cannot retrieve your secrets.

Scoped Access and Isolation​

  • Credentials are scoped per user and per workflow.
  • Shared workflows do not transfer your secrets.
  • Only your own executions can access your credentials.

When Are Secrets Used?​

Secrets are accessed only when:

  • A node requires them to interact with a third-party service.
  • The workflow is executed by the same user who owns the credentials.
  • The container is authenticated, isolated, and transient.

The decrypted value is available only during that session, then discarded immediately.

Additional Protections​

  • HTTPS (TLS 1.3) encryption for all traffic
  • No logging or caching of sensitive content
  • Rate-limiting and brute-force protection
  • Full audit trail on all access to Vault
  • Optional IP/domain restrictions and secret expiration

User Responsibilities​

Security is a shared model. We recommend:

  • Never hardcode secrets in code or prompts
  • Use scoped or read-only API keys when possible
  • Revoke unused secrets frequently
  • Rotate credentials regularly

Questions or Concerns?​

If you have any security-related questions, or if you need to rotate or revoke a key, contact our support at:

Email: contact@axonos.ai
Response Time: Within 24 hours

This system is designed for future extensibility including passkeys, multi-device key sync, and integration with trusted identity providers.