Security
Read-only
by design.
APIWhere reads billing and usage from your providers on a schedule. Your application traffic never routes through us — credentials exist to sync invoices and meters, not to call your APIs in production.
Controls
What we implement today
- At rest
- AES-256-GCM in Postgres. Plaintext keys are not written to disk.
- In use
- Decrypted in memory during a sync job, then discarded. Decrypt events are audit-logged.
- In transit
- TLS between browser, frontend, gateway, and connectors service.
- Access
- JWT per workspace. Gateway auth on every API call. No cross-tenant reads.
Credential flow
From connect
to sync.
Four steps. No hidden paths.
- 01
Sign in
Google or GitHub OAuth when your workspace access opens. Session is a signed JWT — API keys are not kept in the browser.
- 02
Connect
Keys are submitted via a server action to the gateway over TLS. The client never persists them.
- 03
Encrypt
Connectors service encrypts with AES-256-GCM before writing to Postgres. Production can use a KMS-backed master key.
- 04
Sync
On schedule, a job decrypts in RAM, calls the provider billing API, writes normalized spend/usage, and exits.
Scope
What we touch
and what we don't.
In scope
- Provider billing and usage endpoints (invoices, CUR, metered usage)
- Scheduled sync jobs initiated by APIWhere
- Encrypted credential storage for connectors you attach
- Audit log of credential decrypt and connector changes
Out of scope
- Proxying or inspecting your app → provider requests
- Storing production payloads, prompts, or customer data
- Write access to cloud infrastructure beyond billing read APIs
- Returning raw API keys to the browser after connect
Common questions
Do you store my API keys?
Yes — encrypted. They are required to pull billing on your behalf. We do not store plaintext and we do not echo keys back in the UI or API responses.
Can APIWhere see my production traffic?
No. We call billing and usage endpoints only. Traffic between your services and OpenAI, Stripe, AWS, etc. does not pass through APIWhere.
What permissions do connectors need?
Read-only billing or usage scopes where the provider allows it. Each integration documents the minimum scopes in Connectors and in the docs.
How do I revoke access?
Disconnect the provider in Connectors. The encrypted credential is deleted and scheduled sync stops on the next cycle.
Questions? security@apiwhere.com · hello@apiwhere.com · Documentation