Concept

Credential Architecture

Hyperscale operates a credential custody model. When you integrate with Hyperscale, you receive a single API key. We handle all downstream provider authentication — their tokens, API keys, and OAuth credentials are encrypted and held in our vault. Your systems never see them.

Key Types & Prefixes

Hyperscale uses prefixed API keys following the Stripe pattern. The prefix tells you instantly what environment and permission level the key has.

sk_live_*

Secret Key (Live)

Full access to production APIs. Never expose in client-side code.

ReadWriteDelete

Server-side only

sk_test_*

Secret Key (Test)

Full access to sandbox APIs. Safe for development and testing.

ReadWriteDelete

Server-side only

pk_live_*

Publishable Key (Live)

Limited access for client-side operations like tokenization.

Tokenize

Safe for client-side

pk_test_*

Publishable Key (Test)

Limited sandbox access for client-side development.

Tokenize

Safe for client-side

Key Hierarchy

Hyperscale uses a three-tier key hierarchy following NIST guidelines. Each tier provides defense in depth and limits blast radius.

Master Key

HSM-protected root key, never leaves secure enclave

Data Encryption Keys (DEKs)

Derived keys for encrypting credential data at rest

Per-Provider Keys

Isolated encryption for each downstream provider

Key Derivation: DEKs are derived using HKDF (RFC 5869) with unique context per provider. Even if a DEK is compromised, other providers remain protected.

Token Lifecycle

Hyperscale implements OAuth 2.0 with PKCE (RFC 7636) for secure authorization. All tokens have short lifetimes and are automatically rotated.

Access Token

TTL: 15 minutes

Short-lived API access credential

Memory only, never persisted

Refresh Token

TTL: 30 days

Long-lived token for obtaining new access tokens

Encrypted at rest, rotated on use

Authorization Code

TTL: 5 minutes

One-time code for token exchange

Not stored, used immediately

Security Practices

Defense in depth across the entire credential lifecycle.

AES-256-GCM Encryption

All credentials encrypted with authenticated encryption, preventing both decryption and tampering.

HSM-Backed Key Storage

Master keys stored in FIPS 140-2 Level 3 Hardware Security Modules. Keys never leave the HSM.

Automatic Token Rotation

Refresh tokens are rotated on every use. Old tokens immediately invalidated.

Zero-Knowledge Architecture

Your systems never see downstream provider credentials. Hyperscale proxies all requests.

Audit Logging

Every credential access logged with timestamp, IP, and user agent. Immutable audit trail.

Breach Detection

Anomaly detection on credential usage patterns. Automatic alerts and optional lockdown.

Continue Learning

Virtual Identity

Open Banking & SCA

Key Types & Prefixes

Hyperscale uses prefixed API keys following the Stripe pattern. The prefix tells you instantly what environment and permission level the key has.

sk_live_*

Secret Key (Live)

Full access to production APIs. Never expose in client-side code.

ReadWriteDelete

Server-side only

sk_test_*

Secret Key (Test)

Full access to sandbox APIs. Safe for development and testing.

ReadWriteDelete

Server-side only

pk_live_*

Publishable Key (Live)

Limited access for client-side operations like tokenization.

Tokenize

Safe for client-side

pk_test_*

Publishable Key (Test)

Limited sandbox access for client-side development.

Tokenize

Safe for client-side

Key Hierarchy

Hyperscale uses a three-tier key hierarchy following NIST guidelines. Each tier provides defense in depth and limits blast radius.

Master Key

HSM-protected root key, never leaves secure enclave

Data Encryption Keys (DEKs)

Derived keys for encrypting credential data at rest

Per-Provider Keys

Isolated encryption for each downstream provider

Key Derivation: DEKs are derived using HKDF (RFC 5869) with unique context per provider. Even if a DEK is compromised, other providers remain protected.

Token Lifecycle

Hyperscale implements OAuth 2.0 with PKCE (RFC 7636) for secure authorization. All tokens have short lifetimes and are automatically rotated.

Access Token

TTL: 15 minutes

Short-lived API access credential

Memory only, never persisted

Refresh Token

TTL: 30 days

Long-lived token for obtaining new access tokens

Encrypted at rest, rotated on use

Authorization Code

TTL: 5 minutes

One-time code for token exchange

Not stored, used immediately

Security Practices

Defense in depth across the entire credential lifecycle.

AES-256-GCM Encryption

All credentials encrypted with authenticated encryption, preventing both decryption and tampering.

HSM-Backed Key Storage

Master keys stored in FIPS 140-2 Level 3 Hardware Security Modules. Keys never leave the HSM.

Automatic Token Rotation

Refresh tokens are rotated on every use. Old tokens immediately invalidated.

Zero-Knowledge Architecture

Your systems never see downstream provider credentials. Hyperscale proxies all requests.

Audit Logging

Every credential access logged with timestamp, IP, and user agent. Immutable audit trail.

Breach Detection

Anomaly detection on credential usage patterns. Automatic alerts and optional lockdown.