Engineering
Terminology
A comprehensive guide to the technical terminology used by Token Vault.
Core Concepts
| Term | Description |
|---|---|
| Vault | The core encryption service that handles secret encryption, decryption, and key management |
| Secret | Encrypted data payload stored in the vault, accessible only through proper authentication |
| Project | A logical container for secrets with isolated encryption keys and access controls |
| Organization | A tenant boundary that contains multiple projects and manages user access |
| Project Identifier | Unique identifier used for key isolation and secret lookup |
Encryption & Key Management
| Term | Description |
|---|---|
| Root Key (KEK) | Master encryption key loaded from environment variables, used to encrypt all DEKs |
| DEK | Data Encryption Key - project-specific 256-bit key used to encrypt secret payloads |
| AES-256-GCM | Authenticated encryption algorithm used for all encryption operations |
| AAD | Additional Authenticated Data - context metadata ensuring encryption integrity |
| Nonce | 96-bit random value used once per encryption operation for security |
| Keyring | Service managing DEK lifecycle including creation, storage, and retrieval |
API & Authentication
| Term | Description |
|---|---|
| API Key | Authentication token scoped to specific projects for programmatic access |
| Proxy API | Endpoint that forwards requests to target APIs while injecting secrets |
| Secret Reference | Unique identifier used to reference encrypted secrets in requests |
| Project Identifier | Project-specific identifier used for key lookup and secret isolation |
Request Processing
| Term | Description |
|---|---|
| Secret Injection | Process of decrypting secrets and inserting them into proxied requests |
| Header Injection | Method of injecting secrets into HTTP request headers |
| Query Injection | Method of injecting secrets into URL query parameters |
| Body Injection | Method of injecting secrets into request body using JSON path notation |
| Request Logging | Audit trail recording all proxy requests and secret usage |
Security & Isolation
| Term | Description |
|---|---|
| Project Isolation | Cryptographic boundary ensuring secrets are inaccessible across projects |
| Organization Boundary | Access control boundary preventing cross-organization data access |
| Forward Secrecy | Cryptographic property ensuring compromised keys don't affect historical data |
| Authenticated Encryption | Encryption method that provides both confidentiality and integrity |
Storage & Infrastructure
| Term | Description |
|---|---|
| S3 Storage | Object storage service used for encrypted DEK and secret data persistence |
| PostgreSQL | Relational database storing metadata, audit logs, and system state |
| Transaction | Atomic database operation ensuring consistency during project creation |
| Audit Log | Immutable record of all system operations with user and IP context |
Technical Implementation
| Term | Description |
|---|---|
| VaultService | Core encryption service class handling encrypt/decrypt operations |
| Keyring | Service managing DEK lifecycle and S3 storage operations |
| dot-prop | Library used for JSON path-based secret injection into request bodies |
| CUID2 | Collision-resistant unique identifier generator for system entities |