Credential Security Architecture

Executive Summary

This page outlines how Auto Task Lab handles credentials for workflow automations. Our architecture ensures credentials never leave 1Password unencrypted, are fetched only on-demand, and are immediately deleted after use.

The Problem

Workflow automation tools often require storing credentials to log into third-party systems. This creates security risk:

  • Credentials stored in the automation tool become a single point of compromise
  • If the tool is breached, all connected systems are exposed
  • Credential rotation becomes manual and error-prone

Our Solution

Instead of storing credentials, we fetch them on-demand from 1Password, pass them through a secure pipeline, and delete them immediately after use.

Core Principle: Credentials exist only in your 1Password vault and in-flight during automation execution. Nothing is stored.

Architecture

Automation Software
Cloudflare Worker
Cloudflare Tunnel
Gateway (Node.js)
1Password Connect

Flow

  1. Automation sends request with a dummy token
  2. Cloudflare Worker validates the token and injects real authentication headers
  3. Cloudflare Tunnel encrypts traffic in transit (TLS 1.3)
  4. Gateway validates the request, maps client to their vault, fetches credentials
  5. 1Password Connect returns the credential
  6. Credential passes to the automation for login
  7. Credential is deleted from memory

Security Layers

LayerImplementationPurpose
Network Cloudflare Tunnel (TLS 1.3) Encrypted transport to gateway
Identity Cloudflare Access (Service Tokens) Authenticate clients before gateway
Authentication Gateway API Key (Bearer Token) Protects gateway routes
Isolation Hostname → Vault mapping Per-client vault isolation
Storage 1Password (AES-256) Credentials encrypted at rest

Key Security Properties

  • Never Stored: Credentials are never stored on our servers. They exist only in-flight during automation execution.
  • On-Demand Fetch: Credentials are retrieved from 1Password only when an automation requires them.
  • Client Isolation: Each client has a dedicated tunnel hostname mapped to exactly one vault. Cross-client access is architecturally impossible.
  • Audit Trail: All requests are logged with timestamp, source IP, and client hostname.
  • No MFA Storage: Live MFA codes (TOTP) are generated at request time, never stored.

What We Don't Do

  • ❌ Store credentials on our servers
  • ❌ Cache credentials for reuse
  • ❌ Share credentials between clients
  • ❌ Expose credentials to the public internet
  • ❌ Store real credentials in automation software (clients use dummy tokens only)

Compliance Considerations

Encryption in transit TLS 1.3 via Cloudflare Tunnel
Encryption at rest 1Password AES-256
Access control Service tokens + API keys + hostname mapping
Audit logging Gateway logs + Cloudflare Access logs
Data residency Credentials remain in client 1Password vault (cloud or on‑prem)

Summary

Auto Task Lab's credential architecture keeps your credentials in your 1Password vault—fetched only when needed, deleted immediately after use. We never store, cache, or share credentials. This approach eliminates the risk of credential exposure through our platform while maintaining the functionality needed for workflow automation.

For questions contact us.