How we store and protect your upstream API keys, and what you can do to minimise risk.
Every upstream API key you add is encrypted with AES-256-GCM before being written to disk. Each key gets a unique random 96-bit IV so that no two ciphertexts are identical even for identical values. The encryption key is a 256-bit secret stored only in the server environment - never in source code, never in the database.
The raw plaintext of your key never touches disk. Only the encrypted blob is persisted.
Your key value is write-only from your perspective. Once saved, it cannot be retrieved via any API - not even by you. The only operation performed with the decrypted value is injecting it as an HTTP header or query parameter when the proxy forwards your call to the upstream API.
All traffic between your browser, the OmniStream web app, and the gateway is served over HTTPS with TLS 1.2+, enforced by Traefik at the edge. Your key is transmitted to us exactly once - when you save it. After that, only the encrypted form leaves the gateway process boundary.
Even with strong encryption, the best protection is limiting the blast radius of a compromised key. Follow these practices:
Removing a key from your account immediately deletes the encrypted blob from our storage. There is no soft-delete or recovery - once removed, the key is gone and must be re-added if needed.
Deleting your OmniStream account removes all stored keys for all APIs immediately and permanently.
If you discover a security issue, please email support@skinvaults.online with subject Security: OmniStream. We will respond within 48 hours and coordinate a fix before any public disclosure.