Accounting Credentials Vault
Component Detail
Description
Secure server-side store for per-organization accounting API credentials (Xledger API keys, Dynamics OAuth tokens). Credentials are stored in Supabase Vault and retrieved only within Edge Function execution context, never transmitted to the mobile client. Supports credential rotation and per-environment configuration.
accounting-credentials-vault
Summaries
The Accounting Credentials Vault is the security foundation that makes third-party accounting integrations possible without exposing the organization or its customers to credential theft risk. By storing API keys and OAuth tokens in Supabase Vault — isolated from application code, mobile clients, and logs — it ensures that even a full application compromise cannot result in unauthorized access to financial systems like Xledger or Microsoft Dynamics. This directly reduces the organization's liability and enables enterprise sales by meeting the security requirements that larger customers demand. Credential rotation support means the team can respond to security incidents or scheduled key rotations without service downtime, protecting business continuity.
This component is a non-negotiable prerequisite for any accounting integration and represents a long-term security investment.
This medium-complexity backend component has no external code dependencies but requires Supabase Vault to be provisioned and configured before integration testing can begin — coordinate with infrastructure early. Plan for per-environment credential configuration (staging and production vaults are separate), and establish a process for securely loading initial credentials during deployment. The `rotateCredentials()` interface implies a maintenance workflow that needs documentation and possibly a restricted admin UI or CLI tool. Testing should cover credential retrieval latency under load, rotation without service interruption, and validation failure handling.
Security review is required before this component is deployed to production — schedule a review session with the security lead. The `listConfiguredOrgs()` function should be access-controlled and its usage logged. Overall delivery risk is low-to-medium if Vault provisioning is handled early.
This component wraps Supabase Vault's secret management API to provide a typed, domain-specific interface for accounting credential retrieval and management. `getCredentials(orgId, system): AccountingCredentials` is the primary read path — it constructs a Vault secret key from the org and system identifiers, fetches the secret, and deserializes it into a typed credentials object (e.g., `XledgerCredentials` or `DynamicsOAuthTokens`). `validateCredentials()` performs a lightweight connectivity check against the accounting system's API without triggering a full operation. `rotateCredentials()` must be atomic — write new credentials before invalidating old ones to prevent gaps in availability.
All methods must execute within Edge Function context only; calling this from frontend or mobile code must be blocked at the API gateway or function permission level. Credential objects must never be logged or included in error responses. Use Supabase Vault's environment scoping to separate staging and production secrets.
Responsibilities
- Store and retrieve org-specific API credentials for accounting systems
- Enforce that credentials are only accessible within server-side execution
- Support credential rotation without service interruption
- Provide environment-aware configuration (staging vs production endpoints)
Interfaces
getCredentials(orgId, system): AccountingCredentials
rotateCredentials(orgId, system, newCredentials)
validateCredentials(orgId, system): boolean
listConfiguredOrgs(): string[]