# Credentials in ARIA

<h2 align="center"><sub>This page means</sub></h2>

<table><thead><tr><th width="308">This page is</th><th>This page is not</th></tr></thead><tbody><tr><td><sub>A plain-language map of storage posture</sub></td><td><sub>A full data map for every column in the database</sub></td></tr><tr><td><sub>Written for operators who own Settings</sub></td><td><sub>A penetration test report</sub></td></tr></tbody></table>

<h2 align="center"><sub>Production</sub></h2>

<sub>When the deployment is configured with a valid</sub> <sub></sub><sub>**`CREDENTIALS MASTER KEY`**</sub> <sub></sub><sub>(64 hex characters, 32 bytes), integration secrets you save in Settings are stored using</sub> <sub></sub><sub>**AES-256-GCM**</sub><sub>: a random IV per value, authentication tag, ciphertext. Only the script that holds the master key (rotated every 24 hours automatically by ARIA) can unpack them for server-side use.</sub>

<sub>If production is misconfigured and the master key is missing, storing new secrets</sub> <sub></sub><sub>**fails**</sub> <sub></sub><sub>rather than silently falling back to weak encoding.</sub>

<h2 align="center"><sub>ARIA Habits</sub></h2>

{% stepper %}
{% step %} <sub>**First**</sub>

<sub>Assume anyone with ARIA database access in production is in the trust and cannot read your credentials because only ARIA has access to the master keys.</sub>
{% endstep %}

{% step %} <sub>**Second**</sub>

<sub>The</sub> <sub></sub><sub>`Remove`</sub> <sub></sub><sub>button deletes the stored value from ARIA for that slot. It does not rotate the vendor key.</sub>
{% endstep %}

{% step %} <sub>**Third**</sub>

<sub>ARIA never send secrets to the browser for “convenience.” Sensitive vendor calls stay on the server.</sub>
{% endstep %}
{% endstepper %}

***

<h2 align="center"><sub>Ask a question</sub></h2>

<p align="center"><sub><strong>Who in ARIA can see your values stored?</strong></sub> <br><sub>If the answer is “I don't know” then read this page again from the top to bottom.</sub></p>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ariaagi.com/security-and-privacy/credentials-in-aria.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.