Encryption and credentials

Data encryption

• In transit: TLS for all connections, to the app, the API and between our infrastructure providers.
• At rest: AES-256 across the database and storage.
• Integration credentials: encrypted again at the application layer with AES-256-GCM before they reach the database, on top of at rest encryption. A database read alone cannot recover a connection secret.

API keys

API keys are generated with cryptographic randomness, shown once and stored only as a hash computed with a server held secret. Kabaido cannot recover a lost key, and a database read alone cannot produce a usable one. Every key carries explicit scopes, can be revoked instantly and records when it was last used.

Webhook signing

Outbound webhooks are signed with HMAC SHA-256 over a timestamp and the exact raw body, keyed by a per endpoint secret shown once at creation. Verification examples in TypeScript and Python are on the webhooks page. Signatures are compared in constant time and carry a timestamp so receivers can reject replays.

Inbound credentials

Inbound endpoints use long random tokens as capabilities, with optional signature verification for senders that can set headers. Pausing or deleting an endpoint revokes its URL immediately.

Portal links

Quote portal links carry an unguessable token scoped to one quote. The portal exposes only that quote, offers no actions once the quote is decided or expired and is rate limited against scanning.

Sign in

Accounts sign in with email and a password of at least 8 characters, a magic link or Google and Microsoft single sign on where enabled. Passwords are hashed by our authentication provider and never stored in plain text.