Encryption
Workjet encrypts data at every stage — in transit between components, at rest in storage, and in the OS keychain on user devices.
Encryption in Transit
| Connection | Protocol | Details |
|---|---|---|
| Desktop App to Gateway | TLS 1.3 | HTTPS only, no fallback to HTTP |
| Gateway to AI Providers | TLS 1.3 | Provider-enforced HTTPS |
| Browser to Portal | TLS 1.3 | HSTS enabled, certificate transparency |
| MCP Connectors to Services | TLS 1.2+ | Depends on the external service (most require TLS) |
Cloudflare provides automatic TLS termination and certificate management for all Workjet endpoints. Certificates are renewed automatically.
Encryption at Rest
| Storage | Encryption | What's Stored |
|---|---|---|
| Cloudflare R2 | AES-256 | Audit logs, exported data, skill artifacts |
| Cloudflare D1 | AES-256 | Authentication data, tenant configuration, DLP policies |
| Cloudflare KV | AES-256 | Session data, rate limit counters, configuration cache |
| OS Keychain | Platform-native | API keys, MCP connector credentials, OAuth tokens |
API Key Hashing
API keys receive special treatment to ensure they remain secure even in the event of a database breach:
- When a key is created, the raw key (
wj_live_...) is shown to the user once - The key is immediately hashed with SHA-256
- Only the hash is stored in the database
- On each API request, the provided key is hashed and compared against stored hashes
- The raw key is never logged, stored, or transmitted after creation
Next Steps
- Learn about credential management
- Review the DLP pipeline
- Understand the full security architecture