MonitoringBeginner

How Monitoring Secrets Are Encrypted at Rest

ObserveOne encrypts stored monitoring secrets with authenticated AES-256-GCM. What is covered, how the write-only design works, and the honest limits.

ObserveOne Team
2 min read

Secrets you store in ObserveOne are encrypted in the application before they are written, so the database only ever holds ciphertext. Here is what that covers and what it does not.

What gets encrypted#

  • API check secrets: every value stored for {{KEY}} resolution.
  • Autopilot suite secrets: the login credentials tests reference as process.env.KEY.
  • Environment secrets: the per-environment values checks resolve at run time.
  • CI tokens that post status checks and PR comments.
  • Webhook signing secrets on deploy integrations.
  • OAuth tokens for connected integrations.

Check results stay readable for debugging, so keep secrets out of anything your endpoints return.

How it works#

PropertyIn practice
AES-256-GCM before storagethe database sees ciphertext, never plaintext
Authenticateda tampered value fails to decrypt instead of returning garbage
Fresh random nonce per valuethe same token saved twice produces different ciphertext

The key lives outside the database, so a leaked backup or over-scoped query reveals nothing. Payloads are versioned, so the key scheme can evolve without a risky migration.

Write-only on top#

After a secret is saved, no read returns its value: endpoints return key names only. A new value replaces it, an empty value deletes it. No reveal button, no plaintext export.

Limitations#

  • Server-side, not end-to-end: the service decrypts at send time to resolve {{KEY}} references.
  • Check results are stored readable; encryption covers stored secrets, not what your API returns.
  • No version history: replacing a value discards the old ciphertext.

The point#

A leaked backup should not leak your tokens. The same vault backs ObserveOne's Autopilot: generated Playwright tests log in via process.env.KEY, never a literal password.

Frequently Asked Questions

No. End-to-end encryption means only you can ever read a value. A monitoring service cannot work that way, because it must place your token in a request header at send time. Encryption at rest protects the stored copy; the service decrypts server-side for the moment a check runs.

Stored secret values are ciphertext, and a backup copies them as ciphertext. The decryption key is not kept in the database, so a leaked backup alone does not reveal values. Backups still deserve protection; they contain everything else about your account, including URLs and response data.

Yes. Encryption at rest and encryption in transit protect against different failures. At-rest encryption covers the stored copy against database-level exposure; TLS covers the value while it travels between you, the service, and the API being checked. Dropping either one reopens a path to plaintext.

Ready for AI-Powered Testing?

ObserveOne monitors your selectors 24/7 and automatically heals them when websites change. Never deal with broken tests again.

Start Free Trial