Portal Community

Credential Types

Type IDType NameUsed ByFields
1PasswordRecordSMTPUsername, Password
2ApiKeyRecordAWS SES, Custom ProvidersApiKey (and possibly ApiSecret)
3OAuth2RecordGmailAccessToken, RefreshToken, ExpiresAt

Database Storage

Credentials stored in AIExt_Credentials table with two components:

Encryption Architecture

Algorithm: AES-256-GCM

Encryption Process

1. ICredentialEncryptionService.EncryptAsync(plaintext, keyVersion)
2. Generates random IV (96-bit)
3. Encrypts with AES-256-GCM
4. Returns: IV + AuthTag + CiphertextHash

Decryption Process

1. ICredentialEncryptionService.DecryptAsync(encryptedData)
2. Extracts IV + AuthTag + Ciphertext
3. Decrypts with AES-256-GCM
4. Validates authentication tag
5. Returns plaintext or exception if invalid

Multi-Tenant Isolation

Security Best Practices

Do's

Don'ts

Secret Rotation

If an API key is compromised:

  1. Generate new API key at provider
  2. Create new credential with same name in database
  3. Old credential automatically becomes inactive
  4. No code changes required

Audit Logging

All credential access is logged with:

Next Steps