Self-Hosting & Operations
Secrets & Encryption
Sensitive values — integration sign-in tokens, provider keys, passwords — are kept in a
secrets vault, separate from your ordinary data, so a data reset never wipes your
credentials. You choose where the vault lives:
- App database (default) — stored in a dedicated credentials file.
- Environment variables — read-only, for locked-down deployments.
- OS keyring — your operating system's secure store (Windows Credential Manager,
macOS Keychain, Linux Secret Service).
- Cloud secret managers — Google Secret Manager or AWS Secrets Manager.
Separately, encryption methods for protecting stored fields are pluggable too. Both
the vault choice and the encryption method are selected in settings, and — like other
capabilities — new options are added as self-contained drop-in files (see Adding a Plugin).
Related: Storage Backends, Connected Accounts (Integrations).