Security Model

A sanitized token (kve_hb_...) is not a credential — it is a pointer. It references an encrypted key envelope stored in KeyVault Edge infrastructure. The token itself contains no key material.

When a request arrives at an edge proxy endpoint, the token is resolved to an encrypted envelope. The envelope is decrypted in isolated Worker memory, the real key is injected into the upstream request header, and the decrypted key is immediately zeroed. It is never logged, cached, or persisted.

Real API keys are encrypted with AES-256-GCMusing a per-key Data Encryption Key (DEK). The DEK is wrapped with your account's Key Encryption Key (KEK), held in a cloud HSM and marked non-exportable.

Storage layout: ciphertext + wrapped_dek + iv. The plaintext key is never stored anywhere in the system.

Each token carries a list of authorised origins (exact hostnames or wildcard patterns). Before decryption begins, the edge proxy checks the incoming request's Origin and Referer headers against this list.

If the origin does not match, decryption is refused and a breach event is recorded. The real key is never accessed. The token is cryptographically useless from any domain not on the allowlist — even if the token value is known to an attacker.

Every failed origin check creates a breach event: attacker IP, attempted host, geolocation, and timestamp. Email and Slack alerts fire within seconds.

Even if an attacker tries a token from an authorized origin (e.g. they have also compromised your domain), anomaly detection watches for unusual request rates, model usage, and geographic origin shifts. Alerts fire at configurable thresholds.