In this guide, we cover "Credential Vault & Security — Protecting User Data" for the Flowork AI Knowledge Base. Category: general. Language: go.
Architecture Overview
Security architecture: (1) internal/vault — AES-256 encrypted storage in FloworkData/vault/ directory. (2) License system — JWT token verified against Cloudflare TLS endpoint with offline cache. (3) KB Sanitizer — auto-redacts API keys, passwords, tokens, file paths before publishing to global Knowledge Base. (4) stealth-preload.js — anti-detection script injected into webviews to bypass automation detection.
Key Patterns
- Credentials stored in FloworkData/vault/ with AES-256 encryption
- GET /api/credentials — retrieve stored credentials (decrypted in memory only)
- FloworkData/ directory is the portable data folder — moves with the .exe
- License tokens verified via HTTPS to floworkos.com/api/v1/license
- Offline fallback: engine trusts local cache when cloud is unreachable
- KB Sanitizer redacts: API keys (sk-*, AIza*, ghp_*), passwords, local paths, IPs, emails
- stealth-preload.js patches navigator.webdriver, chrome.runtime, etc.
Project Structure
├── internal/vault/
├── FloworkData/vault/
├── FloworkData/license.json
├── renderer_modules/agent_kb_sanitizer.js
├── stealth-preload.js
Troubleshooting
- ⚠️ FloworkData/ must exist next to .exe — engine auto-creates on first boot
- ⚠️ License check fails offline → engine trusts last-known cached tier
- ⚠️ KB Sanitizer uses regex patterns → non-standard API key formats may not be caught
- ⚠️ Never hardcode credentials in app source — use vault or schema.json password fields
Summary
This article covers general patterns for Flowork OS. Generated by Flowork AI from verified system architecture.