Multi-tenant architecture diagram Multi-tenant architecture diagram (dark mode)

Overview

Bluvo implements enterprise-grade encryption for all exchange API keys and sensitive credentials. Through our integration with the @better-auth API Keys plugin and our multi-tenant architecture, your exchange credentials are encrypted at rest, isolated by tenant, and protected through multiple security layers.

Motivation

Exchange API keys represent direct access to funds and require exceptional security. Unlike typical API credentials, crypto exchange keys:
  • Can authorize trading operations and withdrawals if compromised
  • Are typically long-lived and don’t always support automatic rotation
  • Provide broad permissions that are difficult to scope down
  • Are targeted specifically by sophisticated attackers
Once exchange credentials are leaked, the damage is immediate and often irreversible. This reality creates additional challenges:
  • Securing keys while maintaining high-performance access
  • Preventing lateral movement between customer environments
  • Meeting regulatory requirements for data protection
  • Providing cryptographic proof of isolation for audits
Bluvo’s encryption architecture solves these problems with a comprehensive approach that provides defense in depth for your most sensitive credentials.

Implementation

Key Storage Strategy

Every API key in Bluvo is protected through a multi-layered approach: 
// Example of how Bluvo stores API keys (simplified)
const storedCredential = {
  exchangeId: 'binance',
  encryptedApiKey: 'AES256.XXXX...', // Encrypted with tenant-specific key
  encryptedSecret: 'AES256.XXXX...', // Encrypted with tenant-specific key
  iv: 'XXXX...', // Initialization vector
  createdAt: '2023-04-17T10:20:30Z',
  lastUsed: '2023-04-17T10:20:30Z',
  permissions: ['trade', 'read']
}
Each credential is:
  1. Encrypted using AES-256-CBC with a unique initialization vector
  2. Stored in your isolated tenant database
  3. Accessed only through authenticated API requests
  4. Decrypted in memory only when needed for exchange operations

Better-auth API Keys Plugin

Bluvo leverages the @better-auth API Keys plugin which provides:
  • Secure key generation following cryptographic best practices
  • Automatic encryption of sensitive values
  • Access control through fine-grained permissions
  • Activity logging for security monitoring
This ensures that API keys are protected with the same level of security that would be applied to passwords and user credentials.

Tenant-Specific Encryption Keys

In addition to our multi-tenant database architecture, we also employ tenant-specific encryption keys:
  • Each customer has a unique encryption key that is isolated from other tenants
  • Encryption keys are stored separately from the encrypted data
  • Key material is never logged or exposed in error messages
This ensures that even in a hypothetical breach scenario, one tenant’s encryption keys cannot decrypt another tenant’s data.

Encryption Key Management

Bluvo implements best practices for encryption key management:
  • Key hierarchy with master keys and data encryption keys
  • Access control limiting key access to essential services
All encryption operations follow the principle of least privilege, ensuring that decryption happens only when absolutely necessary.

How It Works

When one of your customers connects a wallet to Bluvo, the following steps occur:
  1. Organization Identification: We identify the organization behind the Bluvo API Key
  2. Project Authentication: We identify the project and verify the API Key has wallet connection permissions
  3. Exchange Validation: We validate your exchange API keys with a test interaction
  4. Encryption Process: We encrypt your exchange credentials using node:crypto aes-256-cbc following latest patched best practices
  5. Secure Storage: We store your API keys at rest in an encrypted format using the tenant-specific encryption key
Encryption architecture diagram Encryption architecture diagram (dark mode) This architecture provides defense in depth through multiple security layers:
  1. Authentication layer ensures only authorized users access the system
  2. Tenant isolation restricts access to your specific database
  3. Encryption layer protects the actual credential values
  4. Key isolation ensures tenant-specific encryption keys
  5. Memory protection prevents persistence of decrypted values

Security Features

The @better-auth API Keys plugin provides additional security capabilities:
  • Key rotation for regularly updating credentials
  • Permission scopes for limiting access to specific operations
  • Usage analytics for monitoring suspicious activities
  • Revocation for immediate credential invalidation

Multi-Layer Security Shield

Bluvo doesn’t just encrypt your data; it wraps it in multiple layers of battle-tested protection that work together to create an impenetrable security shield.

Intelligent Rate Limiting

Brute force attacks are handled with a smart rate-limiting system that adapts: 
const rateLimit = calculateDynamicRateLimit({
  endpoint: '/wallet/connect',
  ipAddress: request.ip,
  previousAttempts: await getRecentAttempts(request.ip)
});
  • IP-based rate limiting intelligently throttles suspicious request patterns
  • Enhanced protection on authentication endpoints where it matters most
  • Progressive backoff increases delays exponentially for repeated failures
  • (Coming Soon) IP-based allowlisting for whitelisting trusted IPs

Next-Gen Session Management

Your sessions aren’t just stored; they’re protected by a complete security system:
  • Zero-knowledge session storage in dedicated tenant databases
  • Intelligent expiration that adapts to user behavior and risk profiles
  • One-click revocation for immediate response to security events (you can just delete an API key and all sessions will be invalidated)
  • Automatic token refresh minimizes the need for re-authentication

The Multi-Tenant Advantage

What makes Bluvo’s approach to encryption truly unique is how it integrates with our multi-tenant architecture. This isn’t just another security feature; it’s a fundamental design principle. 
// Tenant isolation in action
const decryptCredentials = async (encryptedData, tenantId) => {
  // Each tenant has its own encryption key that can ONLY
  // decrypt their own data
  const tenantKey = await keyManager.getTenantKey(tenantId);
  return decrypt(encryptedData, tenantKey);
};
  • True tenant isolation keeps your data in separate databases with separate encryption keys
  • Cryptographic boundaries ensure that even in worst-case scenarios, breaches can’t cross tenant lines
  • Global consistency maintains identical security standards across all geographic regions
This combination creates both logical and cryptographic separation between tenants; a security approach that requires multiple simultaneous compromises to breach.

Benefits

On a technical level, Bluvo will:
  • Eliminate hundreds of lines of complex security code from your codebase
  • Make your exchange integrations secure by default without constant monitoring
  • Have a direct impact on compliance audits and security certifications
  • Transform incident response through tenant isolation and comprehensive audit trails

Security That Works For You

Rather than building yet another security system that gets in your way, Bluvo’s security features are designed to enhance your workflow:
  • Zero plaintext storage of sensitive credentials
  • Complete tenant isolation through cryptographic boundaries
  • Defense in depth that protects against multiple attack vectors
  • Developer-friendly API that abstracts away security complexity
  • Comprehensive logging for security auditing and compliance

Developer Implementation

Here’s how simple it is to securely connect a wallet to your Bluvo account: 
// Connect a wallet with Binance API credentials
import {createClient} from '@bluvo/sdk-ts';

// Get yours at https://docs.bluvo.co/introduction
const client = createClient({
    orgId: "a2e98409-cd68-48c4-853c-73d9228764c0", // Org database
    projectId: "b16e1c13-74ad-4b95-b252-0c12e2215b18", // My project
    apiKey: "Your bluvo secret API key"
});

const {workflowRunId} = await client
    .wallet
    .connect(
        'binance',
        'i decide my own wallet id',
        '<your-binance-account-api-key>',
        '<your-binance-account-api-secret>'
    );

// Behind the scenes, Bluvo:
// 1. Identifies your organization using the orgId
// 2. Verifies your project and API key permissions
// 3. Validates the exchange API keys with a test interaction
// 4. Encrypts credentials using node:crypto aes-256-cbc
// 5. Stores encrypted values in your isolated database
From this point forward, you can use Bluvo’s API without ever handling the raw credentials again: 
// Execute operations without directly handling credentials
const {
    walletId,
    exchange,
    balances
} = await client
    .wallet
    .get('wallet-id-here');
All encryption, decryption, and security controls happen automatically.

Want to Own Your API Keys?

For enterprises with strict security requirements, we offer a self-hosted API key management option. This allows you to:
  • Maintain complete control over your encryption keys and credentials
  • Host the encryption layer within your own infrastructure
  • Meet specific compliance requirements for sensitive data handling
  • Integrate with your existing HSM or key management systems
Contact our sales team to learn more about our enterprise key management solutions:

Next Steps

Ready to learn more about Bluvo’s security features?