Connect once, sync authenticated
The credential vault is now wired into the ingestion pipeline — a connector's OAuth/API credentials are stored encrypted-at-rest per tenant and resolved at sync time, so the connector pack can actually authenticate.
The connector pack can read Google Ads, GA4, HubSpot, Gmail, Slack, and
Drive. But a connector needs a credential to authenticate — and until now the sync pipeline never gave
it one. This release closes that gap (v1.36): a tenant's connector credentials are stored
encrypted at rest and resolved at sync time.
Encrypted at rest, per tenant
Credentials are sealed with AES-256-GCM under a per-tenant data-encryption key (KMS-wrapped in production, a local key in dev). The database only ever holds ciphertext, a nonce, and an auth tag — never a token in the clear. The plaintext exists only in memory, for the duration of a sync.
Resolved at sync time
When a source syncs, the runtime looks up the org's stored credential, decrypts it, and hands it to the
connector as ctx.credentials. The connector authenticates and pulls only what changed (the
durable, incremental pipeline does the rest). Connectors that need no
credential — like the web crawler — simply get none. Revoked credentials are never resolved.
Why it matters
This is the last piece between "the connector pack exists" and "a real account connects and syncs." It's what the two reference deployments — RevOps (HubSpot, Gmail, Slack, Drive) and a PPC/CRO client (Google Ads, GA4) — need to pull live data, scoped to their tenant, on a schedule. With this in, standing them up is a matter of connecting accounts, not platform work.