API token protection

Hi - can you advise how the API token/security credentials for my APIs that I use in my flows are protected. The tokens are the highest level of access to my APIs so I want to understand how the API token that are stored in the flow secured.

Specifically on your servers but also access from your team - or can your business just view my tokens - if they choose to?

Love the service and I’m not suggesting any negativity towards your company and team - they have been nothing but helpful and professional. However, I work in a high security environment so want to make sure I have these answers ready as I roll my flows out to my business.

Also, specifically as there’s no SSO/2FF login protection available - though your team advise they are looking at it - the concern for unauthorised access to API tokens is a high concern for me.

Hey Caspar! Great question.

For a given flow, all of the steps you have on your canvas, how they are connected, and what settings they have in the sidebar of the result view (this includes API keys you type in) is all stored in a database table that is only accessible by our engineering leadership and highest level of support staff. All access is logged as well.

Furthermore, we’re able to apply extra security to tokens from integrations that use OAuth and isolate those to their own even further locked down table.
Our production server environment has access to these tables, but all access is protected by our VPC within AWS. Human access to these tables must pass through our VPN as well.

Hope that answers your question, but please let me know if you need any more detail!

1 Like