How VybeGrid protects provider credentials, secures operations, and ensures compliance
VybeGrid manages access to critical infrastructure — DNS records and CDN configurations that control where internet traffic flows. The security model reflects this responsibility, with defense-in-depth protections at every layer.
The most critical security component. All provider API keys and credentials are encrypted at rest using AES-256-GCM.
User enters API key
│
▼
┌────────────────────────────────────────┐
│ 1. Key derivation from master secret │
│ (PBKDF2 / HKDF) │
├────────────────────────────────────────┤
│ 2. AES-256-GCM encryption │
│ • Authenticated encryption │
│ • Unique nonce per encryption │
│ • Integrity tag prevents tampering │
├────────────────────────────────────────┤
│ 3. Store encrypted blob in PostgreSQL │
│ • Never stored in plaintext │
│ • Per-provider isolation │
├────────────────────────────────────────┤
│ 4. Decrypt only at point of use │
│ • Held in memory briefly │
│ • Wiped after API call │
└────────────────────────────────────────┘
| Property | Benefit |
|---|---|
| 256-bit key | Computationally infeasible to brute-force |
| Galois/Counter Mode | Authenticated encryption — detects tampering |
| Unique nonce | Same key encrypts different data safely |
| AEAD | Associated data verified without decryption |
| Feature | Implementation |
|---|---|
| Token format | JSON Web Tokens (python-jose) |
| Signing | HMAC-SHA256 |
| Expiration | Short-lived access tokens + refresh rotation |
| Claims | User ID, organization, roles, scopes |
| Feature | Implementation |
|---|---|
| Method | TOTP (RFC 6238) |
| Compatibility | Google Authenticator, Authy, etc. |
| Enrollment | QR code + backup codes |
| Enforcement | Configurable per organization |
| Feature | Implementation |
|---|---|
| Hashing | bcrypt (passlib) |
| Cost factor | Adaptive (increases with hardware) |
| Salt | Unique per password |
Protection against API abuse and DDoS:
| Endpoint Category | Limit | Window |
|---|---|---|
| Authentication | 5 requests | per minute |
| General API | 100 requests | per minute |
| Webhook events | 50 requests | per minute |
| Health check API | 200 requests | per minute |
Implemented via SlowAPI middleware on FastAPI. Limits are per-IP with optional per-user tracking.
When VybeGrid sends webhook notifications (failover events, alerts), they are cryptographically signed:
Webhook payload
│
▼
┌─────────────────────────────────────────┐
│ 1. Generate HMAC-SHA256 signature │
│ using shared webhook secret │
│ │
│ 2. Add timestamp header │
│ (prevents replay attacks) │
│ │
│ 3. Include signature in headers: │
│ X-Webhook-Signature: sha256=... │
│ X-Webhook-Timestamp: 1710268800 │
│ │
│ Receiver: │
│ 4. Verify signature matches payload │
│ 5. Check timestamp within window │
│ (reject if > 5 minutes old) │
└─────────────────────────────────────────┘
When AI agents are enabled, additional security controls apply:
| Control | Implementation |
|---|---|
| Data sanitization | API keys, IPs, and PII stripped before LLM calls |
| No direct execution | AI recommendations require policy engine approval |
| Opt-in only | AI features completely disabled by default |
| Provider isolation | AI agents cannot access provider credentials directly |
| Audit logging | All AI recommendations and decisions logged |
Every operation in VybeGrid produces an audit event:
| Event Types | Examples |
|---|---|
| Authentication | Login, logout, MFA enrollment, failed attempts |
| Provider management | Add/remove provider, credential update |
| DNS operations | Record create/update/delete |
| Failover events | Automatic failover, manual trigger, rollback |
| Configuration changes | Policy updates, threshold adjustments |
| AI decisions | Anomaly detected, recommendation issued |
Properties:
- Append-only (no modification or deletion)
- Timestamped with actor identification
- Filterable and searchable in dashboard
- Exportable for compliance reporting
| Role | Capabilities |
|---|---|
| Viewer | Dashboard read, metrics, audit log view |
| Operator | DNS operations, manual failover, health check config |
| Admin | Provider management, policy configuration, user management |
| Owner | All capabilities + billing + credential management |
Fine-grained control over which providers each user can access:
- Read-only access to specific providers
- Full CRUD on permitted providers only
- Credential visibility restricted to Admin/Owner
| Control | Implementation |
|---|---|
| HTTPS | Required for all API communication |
| CORS | Strict origin allowlist |
| Request validation | Pydantic schemas on all endpoints |
| Input sanitization | SQL injection and XSS prevention |
| Dependency scanning | Regular security audit of packages |
| Standard | Status |
|---|---|
| SOC 2 | Architecture supports audit, access control, encryption requirements |
| HIPAA | Encryption at rest + in transit, access logging, role-based access |
| GDPR | Data export capabilities, access logging |
| PCI-DSS | Encrypted credential storage, audit trail |
© 2024-2026 DevStudio AI Inc.. All rights reserved.