Skip to content
Machine API Docs

Security & Encryption

API key security

Section titled “API key security”
  • Keys are hashed with SHA-256 before storage. Raw keys are never persisted.
  • Keys are shown once at creation and cannot be retrieved.
  • Each key is scoped to a single project.
  • Keys can be revoked instantly by an owner or admin.

Environment variable encryption

Section titled “Environment variable encryption”

Env vars are encrypted at rest using AES-256-GCM via the Web Crypto API.

When you create a snapshot with envVars:

  1. A unique initialization vector (IV) is generated
  2. An encryption key is derived from the ENCRYPTION_KEY secret using PBKDF2
  3. The env vars are encrypted with AES-256-GCM
  4. Ciphertext and IV are stored separately in D1

Decryption only happens when fetching a single snapshot (GET /machine/snapshots/:id). List endpoints never decrypt env vars.

The ENCRYPTION_KEY is stored as a Cloudflare Workers secret and never exposed via the API.

Data isolation

Section titled “Data isolation”
  • Each API key is scoped to one project — no cross-project access
  • Operations are restricted by role within a project
  • Project deletion cascades to all associated data

File storage

Section titled “File storage”

Files are stored in Cloudflare R2 with project-scoped keys. SHA-256 checksums are computed on upload for integrity verification.

Transport

Section titled “Transport”

All traffic is served over HTTPS via Cloudflare’s edge network.