Skip to main content
Corsair handles authentication for production-grade applications. Whether you need OAuth flows, API keys, or bot tokens, Corsair manages credentials across all your tenants.
corsair.ts

Auth Types

Choose the auth type for each integration:

API Key

For integrations that use static API keys or bot tokens.

OAuth 2.0

For integrations that require user authorization.

Automatic Token Refresh

When using OAuth, tokens expire. Corsair handles this automatically:
  1. Before making a request, checks if the token is expired
  2. If expired, uses the refresh token to get a new access token
  3. Stores the new token and continues with the request
You never have to think about token rotation.

Envelope Encryption

Corsair uses envelope encryption to protect credentials:
  1. You set one KEK (Key Encryption Key) in your environment variables
  2. Each connection gets its own DEK (Data Encryption Key)
  3. All credentials are encrypted with the connection’s DEK
  4. The DEK is encrypted with your KEK
.env
Each connection has a different DEK, so compromising one connection’s key doesn’t expose others.
This holds whether you self-host or use Hub. Hub is a relay for connect, approval, and webhook surfaces — it stores none of your credentials. Encrypted tokens are persisted only in your database in both modes.

Bring Your Own KMS

If you’re using a Key Management Service (AWS KMS, Google Cloud KMS, etc.), you can opt out of Corsair’s built-in encryption.
corsair.ts

Multi-Tenant Credentials

With multi-tenancy, each tenant has their own credentials stored securely.
example.ts
Corsair retrieves the correct credentials for each tenant automatically.