Securely Store and Rotate Integration API Credentials

• Given I enter API credentials during integration setup, When I save them, Then the credentials are stored encrypted and only a masked representation (e.g., '••••••••abcd') is shown in the UI
• Given I need to update credentials due to a key rotation, When I click 'Update Credentials', Then I can enter new credentials without deleting the integration configuration or sync history
• Given new credentials are entered, When I click 'Validate and Save', Then the system tests the new credentials against the live endpoint before replacing the old credentials, ensuring no downtime
• Given a credential has an expiry date (e.g., OAuth token), When the expiry is within 14 days, Then I receive an in-app notification prompting me to rotate the credential
• Given multiple admins exist in the organization, When credentials are updated, Then the audit log records which admin performed the update and when, for security compliance purposes
• Given I export integration configuration for backup purposes, When the export file is generated, Then API credentials are excluded from the export and a note indicates that credentials must be re-entered on import

API credentials for accounting systems like Xledger and Dynamics have access to sensitive financial data. A credential breach could allow unauthorized access to organization finances, trigger fraudulent payment requests, or expose private financial records. Secure credential storage with encryption, masked display, and rotation capabilities meets GDPR and Norwegian financial regulation requirements. Proactive expiry notifications prevent surprise integration failures during critical payroll periods, which would otherwise require emergency developer intervention.

• Integration Credential Vault data
• Credential Management Form ui
• Integration Configuration Service service
• Organization Integration Repository data
• Integration Config Validator infrastructure
• Accounting Credentials Vault infrastructure