ODAI encrypts all sensitive tokens and credentials before storing them in Firestore. Encryption is handled by Google Cloud Key Management Service (KMS) using user-specific keys, so no two users’ data can be decrypted with the same key.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/sibblegp/ODAI/llms.txt
Use this file to discover all available pages before exploring further.
What is encrypted
The following data is encrypted at rest before being written to Firestore:| Data | Firestore collection |
|---|---|
| Google OAuth tokens (access token, refresh token, client credentials) | google_tokens |
| Plaid access tokens | plaid_tokens |
| Plaid item IDs | plaid_tokens |
| Evernote OAuth tokens | evernote_tokens |
Encryption model
ODAI uses symmetric encryption via Google Cloud KMS. When a token is received from an OAuth provider, it is:- Serialized to JSON
- Encrypted with the user’s KMS key
- Base64-encoded
- Written to Firestore as a string
User-specific encryption keys
Each registered user has a dedicated KMS key. This means a compromise of one user’s key does not expose any other user’s data. Keys are created automatically in Google Cloud KMS when a user first registers. The key identifier (key_id) is stored in the user’s Firestore document and is used for all encryption and decryption operations for that user.
Key generation is skipped in local development environments. Tokens stored locally are Base64-encoded but not encrypted with KMS.
Key rings
ODAI uses two KMS key rings in theglobal region:
| Environment | Key ring |
|---|---|
| Development | odai |
| Production | production |
Local development
In local development mode (LOCAL=true), token encryption is bypassed. Tokens are Base64-encoded before storage as a lightweight substitute, but no KMS operations are performed. This allows you to run the application without Google Cloud credentials.