Encryption at rest & secret masking
Every credential you connect — OAuth tokens, API keys (including bring-your-own OpenAI and Anthropic keys), and environment variables destined for your deployed products — is encrypted at rest with AES-256-GCM authenticated encryption. Each value gets a fresh random nonce, and the authentication tag guarantees tampering is detected.
Once you save a secret, its full value is never displayed again. Interfaces show at most the first and last four characters (like sk-a••••6789), and build logs and error output pass through a redaction layer that strips anything shaped like a credential — API keys, GitHub and Render tokens, JWTs, connection strings, and private key blocks.