// SECURITY

Security

Your API keys, encrypted at rest

// ENCRYPTION & HASHING

Encryption and hashing

User passwords

scrypt (Better Auth, RFC 7914)

Your password is hashed with scrypt before storage. We never store plaintext passwords.

Provider API keys

AES-256-GCM + Argon2id

Your provider API keys are encrypted server-side using AES-256-GCM. The encryption key is derived from a server pepper using Argon2id. Each encryption uses a unique IV. Plaintext keys are never stored.

Costwave API keys

bcrypt

Ingest API keys are hashed with bcrypt before storage.

// ARCHITECTURE

Architecture

Provider API key encryption flow.

User enters API key

Server-side encryption

AES-256-GCM + unique IV + tag

Encrypted storage in DB

Runtime decryption (in-memory only)

Provider API call

Decrypted key discarded

Plaintext key NEVER stored

ENCRYPTION_PEPPER server-only, never in code

// AUDITABLE CODE

Auditable code

Costwave is open source. You can audit the cryptographic implementation.

You don't have to trust us. You can verify the code.

Files to audit: /app/src/lib/crypto/

VIEW ON GITHUB

// SELF-HOSTING

Self-hosting

Deploy Costwave on your own infrastructure. Full control over your data. No vendor lock-in.

VIEW DEPLOYMENT GUIDE

// COMPLIANCE ROADMAP

Compliance V2

GDPR compliance and SOC 2 Type II certification are planned for V2. Costwave is currently in beta.