Encryption at rest
Provider credentials are encrypted before they hit the database. We use envelope encryption: each tenant has a unique data key that is itself wrapped by a master KMS key managed by our cloud provider. Database backups inherit the same encryption. Plaintext credentials never persist to disk.
Encryption in transit
All traffic to the API and dashboard is TLS 1.2+. Upstream calls to OpenAI, Anthropic, Grok, and Gemini are made over HTTPS using the seller's credential decrypted just-in-time inside the request handler.
Credential isolation
The proxy decrypts a seller credential only inside the in-memory scope of a single request. The plaintext is never written to logs, never exposed to the buyer, and never leaves the process boundary.
Buyer-facing keys (tk_live_…) authenticate against the proxy only — they cannot be used to call upstream providers directly.
Auth & access
We use Clerk for authentication and enforce role separation (buyer / seller / admin) at the API layer. Server-to-database connections use short-lived credentials. All admin actions are audit-logged.
Reporting a vulnerability
If you believe you've found a security issue, please email security@tokenlypro.com with a description and steps to reproduce. We acknowledge reports within 72 hours and prefer coordinated disclosure.