Security
B3OS security model for credentials, API keys, organizations, webhooks, wallets, masking, and execution safety.
B3OS is designed so workflow authors can connect providers and wallets without moving secrets through node payloads. The platform combines organization RBAC, encrypted connectors, hashed API keys, masked execution data, webhook protections, and wallet boundaries.
Security Layers
| Layer | Protection |
|---|---|
| Authentication | User sessions, API keys, service accounts, and public route boundaries |
| Authorization | Organization roles, scoped API keys, and route-level permission checks |
| Connectors | Encrypted credential storage and masked client responses |
| API keys | b3sk_ prefix, one-time reveal, hash storage, scopes, and revocation |
| Workflows | Draft/live separation, validation, visibility controls, and publish permissions |
| Executions | Secret masking, sanitized errors, status isolation, and run-level access checks |
| Webhooks | Secret URLs, signed execution hook delivery, HTTPS requirements, and SSRF defenses |
| Wallets | External signing boundary, wallet permissions, nonce coordination, and policy-friendly workflow design |
API Key Handling
API keys are shown once at creation. B3OS stores a hash and uses scopes to determine what the key can do.
Do not commit API keys, paste them into workflow props, or expose them in client-side code. Rotate a key immediately if it is leaked.
Credential Handling
Connector credentials are encrypted before storage. Clients receive masked metadata, not raw tokens. Action errors are sanitized before they appear in logs or API responses.
Provider credentials belong in connectors. Backend automation credentials belong in API keys or service accounts. Signing authority belongs in wallets.
Webhook Safety
| Surface | Protection |
|---|---|
| Incoming workflow webhook | Secret URL and payload validation |
| Outbound execution hook | Signed delivery and retry tracking |
| Outbound HTTP action | HTTPS enforcement and private network protections |
| Public workflow execution | Visibility settings, input schema, and authorization boundary |
Wallet Safety
Wallet-backed actions should be paired with explicit policy checks. Use branch nodes to verify recipient, asset, amount, chain, and event provenance before transaction nodes.
A workflow that can move funds should be reviewed as production code. Test with representative input, verify every expression, and inspect all public execution paths.
Safe Workflow Checklist
- Use connectors instead of raw provider credentials.
- Use API keys only from backend systems.
- Keep public workflow input schemas narrow.
- Validate webhook payloads before side effects.
- Add policy branches before wallet actions.
- Mask or omit sensitive values from logs.
- Rotate credentials after teammate or provider access changes.
- Monitor repeated failures and paused workflows.