How Does Codowave Handle Secrets and API Keys?
Short answer: every secret stays encrypted at rest, gets scrubbed before it ever lands in a log, and is scoped to the smallest container that actually needs it.
Start your 5-day trialWhere secrets live
Tokens (GitHub PATs, LLM provider keys, deployment credentials) are encrypted with a KMS-backed envelope before they touch Postgres. The encryption key is rotated on a 90-day schedule and never leaves the API process — agents receive a one-shot capability token that expires when the run ends.
What's never logged
Codowave's logger strips known secret shapes (Stripe keys, GitHub tokens, AWS access keys, OpenAI/Anthropic API keys, JWTs) at the transport layer. If a customer's code prints a secret, the agent log shows [redacted-secret:openai] instead of the value.
What you can audit
Every key access shows up in your dashboard audit log: which scanner or agent run touched it, when, from which container. You can revoke a token from the UI and the agent rerolls on next pickup.