Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Secrets & encryption

Target Audience: Developers and security reviewers configuring Toucan AI or evaluating how secrets are protected.

TL;DR

  • Database connection credentials (passwords, keys) are encrypted before being stored on the Toucan AI platform.

  • Embed tokens are encrypted and short-lived.

  • Query result rows are not stored in a separate encrypted cache — they are processed per request (see Data storage & retention).

  • Encryption at rest for the platform database depends on your deployment

When to use this

Use this page to understand how Toucan AI protects secrets and what encryption does not cover.

Database connection credentials

When you connect a database to Toucan AI, connection secrets are encrypted at rest in the platform database.

  • Only authorized server-side operations can decrypt them to run queries on your behalf.

  • When you view or edit a connection in the product, sensitive fields are masked in the UI and API responses.

  • Keys can be rotated; older ciphertext may be re-encrypted when credentials are accessed.

Your responsibility: protect who can create or edit database connections in your Toucan organization.

Embed tokens

Embed tokens are encrypted (JWE, AES-256-GCM) and expire after a short period (default one hour).

  • API keys used to mint tokens must stay on your server, never in browser code.

  • See Token security for integration guidance.

Query data and caching

Toucan AI does not maintain a dedicated encrypted cache of your query result datasets. Each data request runs against your database and uses the result in memory for that operation. See data flow described above.

Protection for query data relies on:

  • TLS between services and your database (as configured)

  • Access control (tokens, permissions, RLS/CLS)

  • Not persisting bulk copies of your rows on the platform

Deployment-level encryption

Additional controls (disk encryption, managed database encryption, key management) are part of your infrastructure and contract with Toucan AI.

Best practices

  • Rotate database passwords on a regular schedule.

  • Restrict Toucan organization roles so only trusted admins manage connections.

  • Never commit API keys or connection strings to source control.

  • Use TLS-enabled database endpoints where supported.

PreviousPII & personal dataNextAI assistant data handling

Last updated

Was this helpful?