Access tokens

Connecting to Deploy or self-hosted KV databases requires an access token. These tokens effectively give root/admin access to the database, therefore it is very important to protect these tokens from exposure. To prevent you having to re-enter your token on every operation, KV Client stores access tokens in its KV database which is reused on subsequent KV operations.

Deno Deploy tokens

Deno Deploy tokens are stored against the session of the user, meaning only the user who added that token (which was stored against their unique session cookie) can access Deploy using that token.

Self-hosted tokens

In contrast, self-hosted tokens are stored against the connection and used by anyone with access to KV Client.

Token encryption

All tokens are encrypted at rest in the database and never directly accessible to a user. KV Client protects against token leakage in a multi-user environment by using a mutex when establishing the connection. Tokens are encrypted using either an in-memory encryption key (generated on process start) or via a user-supplied value. In-memory keys are lost on process termination requiring Deploy connectivity to be re-established and self-hosted connections to be re-entered. It is recommended for the user to supply an encryption key (aka password) via the KV_CLIENT_ENCRYPTION_KEY environment variable. There are no restrictions on the encryption key/password in length or complexity.

Access tokens

Deno Deploy tokens​

Self-hosted tokens​

Token encryption​

Deno Deploy tokens

Self-hosted tokens

Token encryption