create-authhero 0.43.0 → 0.45.0

package/dist/aws-sst/README.md

@@ -133,6 +133,28 @@ Enable auto-scaling or increase provisioned capacity in `sst.config.ts`.
 
 Ensure the S3 bucket and CloudFront are properly configured. Check browser console for CORS errors.
 
+## Encryption at rest
+
+Sensitive credential fields (client secrets, connection secrets, email
+credentials, TOTP secrets, migration-source secrets) are encrypted at rest.
+A random `ENCRYPTION_KEY` was generated into `.env` when this project was
+created. `sst.config.ts` forwards it to the Lambda, and `src/index.ts` enables
+encryption whenever the key is present.
+
+> **The key is load-bearing.** If you delete, rotate, or lose `ENCRYPTION_KEY`,
+> any values already encrypted with it become unreadable. Treat the key as a
+> long-lived secret, back it up, and use a separate key per deployment stage.
+
+For production, set `ENCRYPTION_KEY` in your deploy environment / secret store
+rather than reusing the generated dev key.
+
+Helper scripts:
+
+```bash
+npm run gen:key                   # print a fresh base64 key
+npm run decrypt -- "enc:v1:..."   # decrypt a stored value using ENCRYPTION_KEY from .env
+```
+
 ## Learn More
 
 - [SST Documentation](https://sst.dev/docs)

package/dist/aws-sst/scripts/decrypt-field.mjs

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+import { loadEncryptionKey, decryptField } from "authhero";
+
+// Decrypt a stored field value using ENCRYPTION_KEY from the environment.
+// Usage: node --env-file=.env scripts/decrypt-field.mjs "enc:v1:..."
+// Values without the enc:v1: prefix (legacy plaintext) are printed unchanged.
+const value = process.argv[2];
+
+if (!value) {
+  console.error(
+    'Usage: node --env-file=<env> scripts/decrypt-field.mjs "<value>"',
+  );
+  process.exit(1);
+}
+
+const keyB64 = process.env.ENCRYPTION_KEY;
+if (!keyB64) {
+  console.error(
+    "ENCRYPTION_KEY is not set. Pass it via --env-file or the environment.",
+  );
+  process.exit(1);
+}
+
+try {
+  const key = await loadEncryptionKey(keyB64);
+  console.log(await decryptField(value, key));
+} catch (error) {
+  console.error(
+    "Failed to decrypt:",
+    error instanceof Error ? error.message : error,
+  );
+  process.exit(1);
+}

package/dist/aws-sst/scripts/generate-encryption-key.mjs

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+import crypto from "node:crypto";
+
+// Print a fresh base64-encoded 32-byte (AES-256) key suitable for
+// ENCRYPTION_KEY. Copy the output into your env file (.env / .dev.vars) or set
+// it as a production secret.
+console.log(crypto.randomBytes(32).toString("base64"));

package/dist/aws-sst/src/index.ts

@@ -2,6 +2,11 @@ import { handle } from "hono/aws-lambda";
 import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 import { DynamoDBDocumentClient } from "@aws-sdk/lib-dynamodb";
 import createAdapters from "@authhero/aws";
+import {
+  DataAdapters,
+  createEncryptedDataAdapter,
+  loadEncryptionKey,
+} from "authhero";
 import createApp from "./app";
 import type { APIGatewayProxyEventV2, Context } from "aws-lambda";
 
@@ -23,6 +28,22 @@ const dataAdapter = createAdapters(docClient, {
   tableName: process.env.TABLE_NAME,
 });
 
+// Encrypt sensitive credential fields at rest when ENCRYPTION_KEY is set.
+// The wrapped adapter is built once and cached across warm invocations.
+let encryptedAdapterPromise: Promise<DataAdapters> | null = null;
+async function getDataAdapter(): Promise<DataAdapters> {
+  if (!process.env.ENCRYPTION_KEY) {
+    return dataAdapter;
+  }
+  if (!encryptedAdapterPromise) {
+    const rawKey = process.env.ENCRYPTION_KEY;
+    encryptedAdapterPromise = loadEncryptionKey(rawKey).then((key) =>
+      createEncryptedDataAdapter(dataAdapter, key),
+    );
+  }
+  return encryptedAdapterPromise;
+}
+
 export async function handler(event: APIGatewayProxyEventV2, context: Context) {
   // Compute issuer from the request
   const host = event.headers.host || event.requestContext.domainName;
@@ -51,7 +72,7 @@ export async function handler(event: APIGatewayProxyEventV2, context: Context) {
   // Create app instance per request to avoid issuer contamination
   // Lambda containers are reused, so we can't mutate process.env.ISSUER globally
   const appWithIssuer = createApp({
-    dataAdapter,
+    dataAdapter: await getDataAdapter(),
     allowedOrigins,
     widgetUrl,
   });

package/dist/aws-sst/sst.config.ts

@@ -55,6 +55,10 @@ export default $config({
       environment: {
         TABLE_NAME: table.name,
         WIDGET_URL: assets.url,
+        // At-rest encryption key for sensitive credentials. Sourced from the
+        // environment (e.g. a generated .env loaded by SST, or your CI/secret
+        // store). Encryption is skipped when this is empty.
+        ENCRYPTION_KEY: process.env.ENCRYPTION_KEY ?? "",
       },
       nodejs: {
         install: ["@authhero/aws"],

package/dist/cloudflare/.dev.vars.example

@@ -5,6 +5,16 @@
 # The .dev.vars file is used by wrangler for local development.
 # ============================================================================
 
+# ============================================================================
+# Encryption at rest
+# ============================================================================
+# Base64-encoded 32-byte key used to encrypt sensitive credential fields
+# (client secrets, connection secrets, email credentials, TOTP secrets, etc.).
+# `create-authhero` writes a generated key into .dev.vars for local dev.
+# In production, set it as a secret instead: `wrangler secret put ENCRYPTION_KEY`.
+# Generate one with: openssl rand -base64 32
+# ENCRYPTION_KEY=
+
 # ============================================================================
 # OPTIONAL: Analytics Engine Configuration
 # ============================================================================

package/dist/cloudflare/README.md

@@ -404,3 +404,28 @@ Cloudflare Rate Limiting helps protect your authentication endpoints from abuse.
 | `limit`        | Max requests allowed               | `100`    |
 | `period`       | Time window in seconds             | `60`     |
 | `namespace_id` | Unique ID (string) for the limiter | `"1001"` |
+
+## Encryption at rest
+
+Sensitive credential fields (client secrets, connection secrets, email
+credentials, TOTP secrets, migration-source secrets) are encrypted at rest.
+A random `ENCRYPTION_KEY` was generated into `.dev.vars` when this project was
+created, and `src/index.ts` enables encryption whenever the key is present.
+
+> **The key is load-bearing.** If you delete, rotate, or lose `ENCRYPTION_KEY`,
+> any values already encrypted with it become unreadable. In local dev you can
+> recover by recreating the D1 database and re-seeding. In production, treat the
+> key as a long-lived secret and back it up.
+
+For production, set the key as a Worker secret (do **not** reuse the dev key):
+
+```bash
+wrangler secret put ENCRYPTION_KEY
+```
+
+Helper scripts:
+
+```bash
+npm run gen:key                   # print a fresh base64 key
+npm run decrypt -- "enc:v1:..."   # decrypt a stored value using ENCRYPTION_KEY from .dev.vars
+```

package/dist/cloudflare/scripts/decrypt-field.mjs

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+import { loadEncryptionKey, decryptField } from "authhero";
+
+// Decrypt a stored field value using ENCRYPTION_KEY from the environment.
+// Usage: node --env-file=.env scripts/decrypt-field.mjs "enc:v1:..."
+// Values without the enc:v1: prefix (legacy plaintext) are printed unchanged.
+const value = process.argv[2];
+
+if (!value) {
+  console.error(
+    'Usage: node --env-file=<env> scripts/decrypt-field.mjs "<value>"',
+  );
+  process.exit(1);
+}
+
+const keyB64 = process.env.ENCRYPTION_KEY;
+if (!keyB64) {
+  console.error(
+    "ENCRYPTION_KEY is not set. Pass it via --env-file or the environment.",
+  );
+  process.exit(1);
+}
+
+try {
+  const key = await loadEncryptionKey(keyB64);
+  console.log(await decryptField(value, key));
+} catch (error) {
+  console.error(
+    "Failed to decrypt:",
+    error instanceof Error ? error.message : error,
+  );
+  process.exit(1);
+}

package/dist/cloudflare/scripts/generate-encryption-key.mjs

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+import crypto from "node:crypto";
+
+// Print a fresh base64-encoded 32-byte (AES-256) key suitable for
+// ENCRYPTION_KEY. Copy the output into your env file (.env / .dev.vars) or set
+// it as a production secret.
+console.log(crypto.randomBytes(32).toString("base64"));

package/dist/cloudflare/src/index.ts

@@ -3,7 +3,11 @@ import { Kysely } from "kysely";
 import createAdapters from "@authhero/kysely-adapter";
 import createApp from "./app";
 import { Env } from "./types";
-import { AuthHeroConfig } from "authhero";
+import {
+  AuthHeroConfig,
+  createEncryptedDataAdapter,
+  loadEncryptionKey,
+} from "authhero";
 
 // ──────────────────────────────────────────────────────────────────────────────
 // OPTIONAL: Uncomment to enable Cloudflare adapters (Analytics Engine, etc.)
@@ -20,7 +24,15 @@ export default {
 
     const dialect = new D1Dialect({ database: env.AUTH_DB });
     const db = new Kysely<any>({ dialect });
-    const dataAdapter = createAdapters(db, { useTransactions: false });
+    let dataAdapter = createAdapters(db, { useTransactions: false });
+
+    // Encrypt sensitive credential fields at rest when ENCRYPTION_KEY is set.
+    // In local dev it comes from .dev.vars; in production set it with
+    // `wrangler secret put ENCRYPTION_KEY`. Without it, behavior is unchanged.
+    if (env.ENCRYPTION_KEY) {
+      const encryptionKey = await loadEncryptionKey(env.ENCRYPTION_KEY);
+      dataAdapter = createEncryptedDataAdapter(dataAdapter, encryptionKey);
+    }
 
     // ────────────────────────────────────────────────────────────────────────
     // OPTIONAL: Cloudflare Analytics Engine for centralized logging

package/dist/cloudflare/src/types.ts

@@ -6,6 +6,11 @@
 export interface Env {
   AUTH_DB: D1Database;
 
+  // Base64-encoded 32-byte key for at-rest encryption of sensitive credential
+  // fields. Set in .dev.vars locally and via `wrangler secret put ENCRYPTION_KEY`
+  // in production. Optional — encryption is skipped when unset.
+  ENCRYPTION_KEY?: string;
+
   // ──────────────────────────────────────────────────────────────────────────
   // OPTIONAL: Analytics Engine for centralized logging
   // Uncomment to enable:

package/dist/create-authhero.js

@@ -3,10 +3,14 @@ import { Command as e } from "commander";
 import t from "inquirer";
 import n from "fs";
 import r from "path";
-import { fileURLToPath as i } from "url";
-import { spawn as a } from "child_process";
+import i from "crypto";
+import { fileURLToPath as a } from "url";
+import { spawn as o } from "child_process";
 //#region src/index.ts
-var o = new e(), s = {
+function s() {
+	return i.randomBytes(32).toString("base64");
+}
+var c = new e(), l = {
 	local: {
 		name: "Local (SQLite)",
 		description: "Local development setup with SQLite database - great for getting started",
@@ -18,10 +22,12 @@ var o = new e(), s = {
 				version: "1.0.0",
 				type: "module",
 				scripts: {
-					dev: "npx tsx watch src/index.ts",
-					start: "npx tsx src/index.ts",
+					dev: "npx tsx watch --env-file=.env src/index.ts",
+					start: "npx tsx --env-file=.env src/index.ts",
 					migrate: "npx tsx src/migrate.ts",
-					seed: "npx tsx src/seed.ts"
+					seed: "npx tsx --env-file=.env src/seed.ts",
+					"gen:key": "node scripts/generate-encryption-key.mjs",
+					decrypt: "node --env-file=.env scripts/decrypt-field.mjs"
 				},
 				dependencies: {
 					"@authhero/kysely-adapter": a,
@@ -69,7 +75,9 @@ var o = new e(), s = {
 					"seed:local": "node seed-helper.js",
 					"seed:remote": "node seed-helper.js '' '' remote",
 					seed: "node seed-helper.js",
-					setup: "cp wrangler.toml wrangler.local.toml && cp .dev.vars.example .dev.vars && echo '✅ Created wrangler.local.toml and .dev.vars - update with your IDs'"
+					setup: "cp wrangler.toml wrangler.local.toml && cp .dev.vars.example .dev.vars && echo '✅ Created wrangler.local.toml and .dev.vars - update with your IDs'",
+					"gen:key": "node scripts/generate-encryption-key.mjs",
+					decrypt: "node --env-file=.dev.vars scripts/decrypt-field.mjs"
 				},
 				dependencies: {
 					"@authhero/drizzle": a,
@@ -135,8 +143,10 @@ var o = new e(), s = {
 					dev: "sst dev",
 					deploy: "sst deploy --stage production",
 					remove: "sst remove",
-					seed: "npx tsx src/seed.ts",
-					"copy-assets": "node copy-assets.js"
+					seed: "npx tsx --env-file=.env src/seed.ts",
+					"copy-assets": "node copy-assets.js",
+					"gen:key": "node scripts/generate-encryption-key.mjs",
+					decrypt: "node --env-file=.env scripts/decrypt-field.mjs"
 				},
 				dependencies: {
 					"@authhero/aws": a,
@@ -163,13 +173,13 @@ var o = new e(), s = {
 		seedFile: "seed.ts"
 	}
 };
-function c(e, t) {
+function u(e, t) {
 	n.readdirSync(e).forEach((i) => {
 		let a = r.join(e, i), o = r.join(t, i);
-		n.lstatSync(a).isDirectory() ? (n.mkdirSync(o, { recursive: !0 }), c(a, o)) : n.copyFileSync(a, o);
+		n.lstatSync(a).isDirectory() ? (n.mkdirSync(o, { recursive: !0 }), u(a, o)) : n.copyFileSync(a, o);
 	});
 }
-function l(e, t = !1, n = "authhero-local", r) {
+function d(e, t = !1, n = "authhero-local", r) {
 	let i = e ? "control_plane" : "main", a = e ? "Control Plane" : "Main", o = [
 		"https://manage.authhero.net/auth-callback",
 		"https://local.authhero.net/auth-callback",
@@ -314,7 +324,7 @@ function l(e, t = !1, n = "authhero-local", r) {
 	return `import { SqliteDialect, Kysely } from "kysely";
 import Database from "better-sqlite3";
 import createAdapters from "@authhero/kysely-adapter";
-import { seed${t ? ", USERNAME_PASSWORD_PROVIDER" : ""} } from "authhero";
+import { seed, createEncryptedDataAdapter, loadEncryptionKey${t ? ", USERNAME_PASSWORD_PROVIDER" : ""} } from "authhero";
 
 interface ExtraClient {
   client_id: string;
@@ -368,7 +378,13 @@ async function main() {
   });
 
   const db = new Kysely<any>({ dialect });
-  const adapters = createAdapters(db);
+  let adapters = createAdapters(db);
+
+  // Match the server: encrypt seeded secrets at rest when a key is configured.
+  if (process.env.ENCRYPTION_KEY) {
+    const encryptionKey = await loadEncryptionKey(process.env.ENCRYPTION_KEY);
+    adapters = createEncryptedDataAdapter(adapters, encryptionKey);
+  }
 
   const seedResult = await seed(adapters, {
     adminUsername,
@@ -417,7 +433,7 @@ main().catch((err) => {
 });
 `;
 }
-function u(e, t) {
+function f(e, t) {
 	let n = t ? "import fs from \"fs\";\n" : "", r = t ? "\nconst adminDistPath = path.resolve(\n  __dirname,\n  \"../node_modules/@authhero/admin/dist\",\n);\nconst adminIndexPath = path.join(adminDistPath, \"index.html\");\n" : "", i = t ? `
   // Add admin UI handler if the package is installed
   if (fs.existsSync(adminIndexPath)) {
@@ -546,14 +562,15 @@ ${i}
 }
 `;
 }
-function d(e) {
+function p(e) {
 	return `import { D1Dialect } from "kysely-d1";
 import { Kysely } from "kysely";
 import createAdapters from "@authhero/kysely-adapter";
-import { seed } from "authhero";
+import { seed, createEncryptedDataAdapter, loadEncryptionKey } from "authhero";
 
 interface Env {
   AUTH_DB: D1Database;
+  ENCRYPTION_KEY?: string;
 }
 
 export default {
@@ -567,7 +584,12 @@ export default {
     try {
       const dialect = new D1Dialect({ database: env.AUTH_DB });
       const db = new Kysely<any>({ dialect });
-      const adapters = createAdapters(db, { useTransactions: false });
+      let adapters = createAdapters(db, { useTransactions: false });
+
+      if (env.ENCRYPTION_KEY) {
+        const encryptionKey = await loadEncryptionKey(env.ENCRYPTION_KEY);
+        adapters = createEncryptedDataAdapter(adapters, encryptionKey);
+      }
 
       const result = await seed(adapters, {
         adminUsername,
@@ -607,7 +629,7 @@ export default {
 };
 `;
 }
-function f(e, t) {
+function m(e, t) {
 	let n = t ? "import adminIndexHtml from \"./admin-index-html\";\n" : "", r = t ? "    adminIndexHtml,\n" : "";
 	return e ? `import { Context } from "hono";
 import { swaggerUI } from "@hono/swagger-ui";
@@ -690,14 +712,14 @@ ${r}  });
 }
 `;
 }
-function p(e) {
+function h(e) {
 	return e ? "import { Context } from \"hono\";\nimport { swaggerUI } from \"@hono/swagger-ui\";\nimport { AuthHeroConfig, DataAdapters } from \"authhero\";\nimport { initMultiTenant } from \"@authhero/multi-tenancy\";\n\n// Control plane configuration\nconst CONTROL_PLANE_TENANT_ID = \"control_plane\";\nconst CONTROL_PLANE_CLIENT_ID = \"default\";\n\ninterface AppConfig extends AuthHeroConfig {\n  dataAdapter: DataAdapters;\n  widgetUrl: string;\n}\n\nexport default function createApp(config: AppConfig) {\n  // Initialize multi-tenant AuthHero\n  const { app } = initMultiTenant({\n    ...config,\n    controlPlane: {\n      tenantId: CONTROL_PLANE_TENANT_ID,\n      clientId: CONTROL_PLANE_CLIENT_ID,\n    },\n  });\n\n  app\n    .onError((err, ctx) => {\n      if (err && typeof err === \"object\" && \"getResponse\" in err) {\n        return (err as { getResponse: () => Response }).getResponse();\n      }\n      console.error(err);\n      return ctx.text(err instanceof Error ? err.message : \"Internal Server Error\", 500);\n    })\n    .get(\"/\", async (ctx: Context) => {\n      return ctx.json({\n        name: \"AuthHero Multi-Tenant Server (AWS)\",\n        version: \"1.0.0\",\n        status: \"running\",\n        docs: \"/docs\",\n        controlPlaneTenant: CONTROL_PLANE_TENANT_ID,\n      });\n    })\n    .get(\"/docs\", swaggerUI({ url: \"/api/v2/spec\" }))\n    // Redirect widget requests to S3/CloudFront\n    .get(\"/u/widget/*\", async (ctx) => {\n      const file = ctx.req.path.replace(\"/u/widget/\", \"\");\n      return ctx.redirect(`${config.widgetUrl}/u/widget/${file}`);\n    })\n    .get(\"/u/*\", async (ctx) => {\n      const file = ctx.req.path.replace(\"/u/\", \"\");\n      return ctx.redirect(`${config.widgetUrl}/u/${file}`);\n    });\n\n  return app;\n}\n" : "import { Context } from \"hono\";\nimport { cors } from \"hono/cors\";\nimport { AuthHeroConfig, init, DataAdapters } from \"authhero\";\nimport { swaggerUI } from \"@hono/swagger-ui\";\n\ninterface AppConfig extends AuthHeroConfig {\n  dataAdapter: DataAdapters;\n  widgetUrl: string;\n}\n\nexport default function createApp(config: AppConfig) {\n  const { app } = init(config);\n\n  // Enable CORS for all origins in development\n  app.use(\"*\", cors({\n    origin: (origin) => origin || \"*\",\n    allowMethods: [\"GET\", \"POST\", \"PUT\", \"DELETE\", \"PATCH\", \"OPTIONS\"],\n    allowHeaders: [\"Content-Type\", \"Authorization\", \"Auth0-Client\"],\n    exposeHeaders: [\"Content-Length\"],\n    credentials: true,\n  }));\n\n  app\n    .onError((err, ctx) => {\n      if (err && typeof err === \"object\" && \"getResponse\" in err) {\n        return (err as { getResponse: () => Response }).getResponse();\n      }\n      console.error(err);\n      return ctx.text(err instanceof Error ? err.message : \"Internal Server Error\", 500);\n    })\n    .get(\"/\", async (ctx: Context) => {\n      return ctx.json({\n        name: \"AuthHero Server (AWS)\",\n        status: \"running\",\n      });\n    })\n    .get(\"/docs\", swaggerUI({ url: \"/api/v2/spec\" }))\n    // Redirect widget requests to S3/CloudFront\n    .get(\"/u/widget/*\", async (ctx) => {\n      const file = ctx.req.path.replace(\"/u/widget/\", \"\");\n      return ctx.redirect(`${config.widgetUrl}/u/widget/${file}`);\n    })\n    .get(\"/u/*\", async (ctx) => {\n      const file = ctx.req.path.replace(\"/u/\", \"\");\n      return ctx.redirect(`${config.widgetUrl}/u/${file}`);\n    });\n\n  return app;\n}\n";
 }
-function m(e) {
+function g(e) {
 	return `import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 import { DynamoDBDocumentClient } from "@aws-sdk/lib-dynamodb";
 import createAdapters from "@authhero/aws";
-import { seed } from "authhero";
+import { seed, createEncryptedDataAdapter, loadEncryptionKey } from "authhero";
 
 async function main() {
   const adminUsername = process.argv[2] || process.env.ADMIN_USERNAME || "admin";
@@ -717,7 +739,12 @@ async function main() {
     },
   });
 
-  const adapters = createAdapters(docClient, { tableName });
+  let adapters = createAdapters(docClient, { tableName });
+
+  if (process.env.ENCRYPTION_KEY) {
+    const encryptionKey = await loadEncryptionKey(process.env.ENCRYPTION_KEY);
+    adapters = createEncryptedDataAdapter(adapters, encryptionKey);
+  }
 
   await seed(adapters, {
     adminUsername,
@@ -733,18 +760,21 @@ async function main() {
 main().catch(console.error);
 `;
 }
-function h(e, t) {
+function _(e, t) {
 	let i = r.join(e, "src");
-	n.writeFileSync(r.join(i, "app.ts"), p(t)), n.writeFileSync(r.join(i, "seed.ts"), m(t));
+	n.writeFileSync(r.join(i, "app.ts"), h(t)), n.writeFileSync(r.join(i, "seed.ts"), g(t)), n.writeFileSync(r.join(e, ".env"), `# At-rest encryption key for sensitive credentials. Generated automatically.
+# Keep this stable and secret — losing it makes encrypted data unrecoverable.
+ENCRYPTION_KEY=${s()}
+`);
 }
-function g() {
+function v() {
 	console.log("\\n" + "─".repeat(50)), console.log("🔐 AuthHero deployed to AWS!"), console.log("📚 Check SST output for your API URL"), console.log("🚀 Open your server URL /setup to complete initial setup"), console.log("🌐 Portal available at https://local.authhero.net"), console.log("─".repeat(50) + "\\n");
 }
-function _(e) {
+function y(e) {
 	let t = r.join(e, ".github", "workflows");
 	n.mkdirSync(t, { recursive: !0 }), n.writeFileSync(r.join(t, "unit-tests.yml"), "name: Unit tests\n\non: push\n\njobs:\n  test:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n\n      - name: Setup Node.js\n        uses: actions/setup-node@v4\n        with:\n          node-version: \"22\"\n          cache: \"npm\"\n\n      - name: Install dependencies\n        run: npm ci\n\n      - run: npm run type-check\n      - run: npm test\n"), n.writeFileSync(r.join(t, "deploy-dev.yml"), "name: Deploy to Dev\n\non:\n  push:\n    branches:\n      - main\n\njobs:\n  release:\n    name: Release and Deploy\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n\n      - name: Setup Node.js\n        uses: actions/setup-node@v4\n        with:\n          node-version: \"22\"\n          cache: \"npm\"\n\n      - name: Install dependencies\n        run: npm ci\n\n      - name: Release\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n        run: npx semantic-release\n\n      - name: Deploy to Cloudflare (Dev)\n        uses: cloudflare/wrangler-action@v3\n        with:\n          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}\n          command: deploy\n"), n.writeFileSync(r.join(t, "release.yml"), "name: Deploy to Production\n\non:\n  release:\n    types: [\"released\"]\n\njobs:\n  deploy:\n    name: Deploy to Production\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node.js\n        uses: actions/setup-node@v4\n        with:\n          node-version: \"22\"\n          cache: \"npm\"\n\n      - name: Install dependencies\n        run: npm ci\n\n      - name: Deploy to Cloudflare (Production)\n        uses: cloudflare/wrangler-action@v3\n        with:\n          apiToken: ${{ secrets.PROD_CLOUDFLARE_API_TOKEN }}\n          command: deploy --env production\n"), console.log("\\n📦 GitHub CI workflows created!");
 }
-function v(e) {
+function b(e) {
 	n.writeFileSync(r.join(e, ".releaserc.json"), JSON.stringify({
 		branches: ["main"],
 		plugins: [
@@ -763,9 +793,9 @@ function v(e) {
 		"type-check": "tsc --noEmit"
 	}, n.writeFileSync(t, JSON.stringify(i, null, 2));
 }
-function y(e, t) {
+function x(e, t) {
 	return new Promise((n, r) => {
-		let i = a(e, [], {
+		let i = o(e, [], {
 			cwd: t,
 			shell: !0,
 			stdio: "inherit"
@@ -775,107 +805,113 @@ function y(e, t) {
 		}), i.on("error", r);
 	});
 }
-function b(e, t, i) {
+function S(e, t, i) {
 	let a = r.join(e, "src");
-	n.writeFileSync(r.join(a, "app.ts"), f(t, i)), n.writeFileSync(r.join(a, "seed.ts"), d(t));
+	n.writeFileSync(r.join(a, "app.ts"), m(t, i)), n.writeFileSync(r.join(a, "seed.ts"), p(t));
 }
-function x() {
+function C() {
 	console.log("\n" + "─".repeat(50)), console.log("🔐 AuthHero server running at https://localhost:3000"), console.log("🚀 Open https://localhost:3000/setup to complete initial setup"), console.log("─".repeat(50) + "\n");
 }
-function S() {
+function w() {
 	console.log("\n" + "─".repeat(50)), console.log("🛰️  AuthHero proxy running at http://localhost:8787"), console.log("✏️  Edit src/proxy.config.ts to add hosts and routes"), console.log("📖 See README.md for deployment instructions"), console.log("─".repeat(50) + "\n");
 }
-function C() {
+function T() {
 	console.log("\n" + "─".repeat(50)), console.log("✅ Self-signed certificates generated with openssl"), console.log("⚠️  You may need to trust the certificate in your browser"), console.log("🔐 AuthHero server running at http://localhost:3000"), console.log("📚 API documentation available at http://localhost:3000/docs"), console.log("🚀 Open http://localhost:3000/setup to complete initial setup"), console.log("─".repeat(50) + "\n");
 }
-o.version("1.0.0").description("Create a new AuthHero project").argument("[project-name]", "name of the project").option("-t, --template <type>", "template type: local, cloudflare, aws-sst, or proxy").option("--package-manager <pm>", "package manager to use: npm, yarn, pnpm, or bun").option("--multi-tenant", "enable multi-tenant mode").option("--admin-ui", "include admin UI at /admin").option("--skip-install", "skip installing dependencies").option("--skip-migrate", "skip running database migrations").option("--skip-start", "skip starting the development server").option("--github-ci", "include GitHub CI workflows with semantic versioning").option("--conformance", "add OpenID conformance suite test clients").option("--conformance-alias <alias>", "alias for conformance suite (default: authhero-local)").option("--workspace", "use workspace:* dependencies for local monorepo development").option("-y, --yes", "skip all prompts and use defaults/provided options").action(async (e, a) => {
-	let o = a.yes === !0;
+c.version("1.0.0").description("Create a new AuthHero project").argument("[project-name]", "name of the project").option("-t, --template <type>", "template type: local, cloudflare, aws-sst, or proxy").option("--package-manager <pm>", "package manager to use: npm, yarn, pnpm, or bun").option("--multi-tenant", "enable multi-tenant mode").option("--admin-ui", "include admin UI at /admin").option("--skip-install", "skip installing dependencies").option("--skip-migrate", "skip running database migrations").option("--skip-start", "skip starting the development server").option("--github-ci", "include GitHub CI workflows with semantic versioning").option("--conformance", "add OpenID conformance suite test clients").option("--conformance-alias <alias>", "alias for conformance suite (default: authhero-local)").option("--workspace", "use workspace:* dependencies for local monorepo development").option("-y, --yes", "skip all prompts and use defaults/provided options").action(async (e, i) => {
+	let o = i.yes === !0;
 	console.log("\n🔐 Welcome to AuthHero!\n");
-	let d = e;
-	d || (o ? (d = "auth-server", console.log(`Using default project name: ${d}`)) : d = (await t.prompt([{
+	let c = e;
+	c || (o ? (c = "auth-server", console.log(`Using default project name: ${c}`)) : c = (await t.prompt([{
 		type: "input",
 		name: "projectName",
 		message: "Project name:",
 		default: "auth-server",
 		validate: (e) => e !== "" || "Project name cannot be empty"
 	}])).projectName);
-	let f = r.join(process.cwd(), d);
-	n.existsSync(f) && (console.error(`❌ Project "${d}" already exists.`), process.exit(1));
-	let p;
-	a.template ? ([
+	let p = r.join(process.cwd(), c);
+	n.existsSync(p) && (console.error(`❌ Project "${c}" already exists.`), process.exit(1));
+	let m;
+	i.template ? ([
 		"local",
 		"cloudflare",
 		"aws-sst",
 		"proxy"
-	].includes(a.template) || (console.error(`❌ Invalid template: ${a.template}`), console.error("Valid options: local, cloudflare, aws-sst, proxy"), process.exit(1)), p = a.template, console.log(`Using template: ${s[p].name}`)) : p = (await t.prompt([{
+	].includes(i.template) || (console.error(`❌ Invalid template: ${i.template}`), console.error("Valid options: local, cloudflare, aws-sst, proxy"), process.exit(1)), m = i.template, console.log(`Using template: ${l[m].name}`)) : m = (await t.prompt([{
 		type: "list",
 		name: "setupType",
 		message: "Select your setup type:",
 		choices: [
 			{
-				name: `${s.local.name}\n     ${s.local.description}`,
+				name: `${l.local.name}\n     ${l.local.description}`,
 				value: "local",
-				short: s.local.name
+				short: l.local.name
 			},
 			{
-				name: `${s.cloudflare.name}\n     ${s.cloudflare.description}`,
+				name: `${l.cloudflare.name}\n     ${l.cloudflare.description}`,
 				value: "cloudflare",
-				short: s.cloudflare.name
+				short: l.cloudflare.name
 			},
 			{
-				name: `${s["aws-sst"].name}\n     ${s["aws-sst"].description}`,
+				name: `${l["aws-sst"].name}\n     ${l["aws-sst"].description}`,
 				value: "aws-sst",
-				short: s["aws-sst"].name
+				short: l["aws-sst"].name
 			},
 			{
-				name: `${s.proxy.name}\n     ${s.proxy.description}`,
+				name: `${l.proxy.name}\n     ${l.proxy.description}`,
 				value: "proxy",
-				short: s.proxy.name
+				short: l.proxy.name
 			}
 		]
 	}])).setupType;
-	let m;
-	m = p === "proxy" ? !1 : a.multiTenant === void 0 ? o ? !1 : (await t.prompt([{
+	let h;
+	h = m === "proxy" ? !1 : i.multiTenant === void 0 ? o ? !1 : (await t.prompt([{
 		type: "confirm",
 		name: "multiTenant",
 		message: "Would you like to enable multi-tenant mode?",
 		default: !1
-	}])).multiTenant : a.multiTenant, m && console.log("Multi-tenant mode: enabled");
-	let w = !1;
-	(p === "local" || p === "cloudflare") && (w = a.adminUi === void 0 ? o ? !0 : (await t.prompt([{
+	}])).multiTenant : i.multiTenant, h && console.log("Multi-tenant mode: enabled");
+	let g = !1;
+	(m === "local" || m === "cloudflare") && (g = i.adminUi === void 0 ? o ? !0 : (await t.prompt([{
 		type: "confirm",
 		name: "adminUi",
 		message: "Would you like to include the admin UI at /admin?",
 		default: !0
-	}])).adminUi : a.adminUi, w && console.log("Admin UI: enabled (available at /admin)"));
-	let T = a.conformance || !1, E = a.conformanceAlias || "authhero-local";
-	T && console.log(`OpenID Conformance Suite: enabled (alias: ${E})`);
-	let D = a.workspace || !1;
-	D && console.log("Workspace mode: enabled (using workspace:* dependencies)");
-	let O = s[p];
-	n.mkdirSync(f, { recursive: !0 }), n.writeFileSync(r.join(f, "package.json"), JSON.stringify(O.packageJson(d, m, T, D, w), null, 2));
-	let k = O.templateDir, A = r.dirname(i(import.meta.url)), j = [r.join(A, k), r.join(A, "..", "templates", k)], M = j.find((e) => n.existsSync(e));
-	if (M ? c(M, f) : (console.error(`❌ Template directory not found. Looked in:\n  ${j.join("\n  ")}`), process.exit(1)), p === "cloudflare" && b(f, m, w), p === "cloudflare") {
-		let e = r.join(f, "wrangler.toml"), t = r.join(f, "wrangler.local.toml");
+	}])).adminUi : i.adminUi, g && console.log("Admin UI: enabled (available at /admin)"));
+	let E = i.conformance || !1, D = i.conformanceAlias || "authhero-local";
+	E && console.log(`OpenID Conformance Suite: enabled (alias: ${D})`);
+	let O = i.workspace || !1;
+	O && console.log("Workspace mode: enabled (using workspace:* dependencies)");
+	let k = l[m];
+	n.mkdirSync(p, { recursive: !0 }), n.writeFileSync(r.join(p, "package.json"), JSON.stringify(k.packageJson(c, h, E, O, g), null, 2));
+	let A = k.templateDir, j = r.dirname(a(import.meta.url)), M = [r.join(j, A), r.join(j, "..", "templates", A)], N = M.find((e) => n.existsSync(e));
+	if (N ? u(N, p) : (console.error(`❌ Template directory not found. Looked in:\n  ${M.join("\n  ")}`), process.exit(1)), m === "cloudflare" && S(p, h, g), m === "cloudflare") {
+		let e = r.join(p, "wrangler.toml"), t = r.join(p, "wrangler.local.toml");
 		n.existsSync(e) && n.copyFileSync(e, t);
-		let i = r.join(f, ".dev.vars.example"), a = r.join(f, ".dev.vars");
-		n.existsSync(i) && n.copyFileSync(i, a), console.log("📁 Created wrangler.local.toml and .dev.vars for local development");
+		let i = r.join(p, ".dev.vars.example"), a = r.join(p, ".dev.vars");
+		n.existsSync(i) && (n.copyFileSync(i, a), n.appendFileSync(a, `\n# Generated at-rest encryption key (local dev). Use a separate secret in production.\nENCRYPTION_KEY=${s()}\n`), console.log("🔒 Added a generated ENCRYPTION_KEY to .dev.vars")), console.log("📁 Created wrangler.local.toml and .dev.vars for local development");
 	}
-	let N = !1;
-	if (p === "cloudflare" && (a.githubCi === void 0 ? o || (N = (await t.prompt([{
+	let P = !1;
+	if (m === "cloudflare" && (i.githubCi === void 0 ? o || (P = (await t.prompt([{
 		type: "confirm",
 		name: "includeGithubCi",
 		message: "Would you like to include GitHub CI with semantic versioning?",
 		default: !1
-	}])).includeGithubCi) : (N = a.githubCi, N && console.log("Including GitHub CI workflows with semantic versioning")), N && (_(f), v(f))), p === "local") {
-		let e = l(m, T, E, w);
-		n.writeFileSync(r.join(f, "src/seed.ts"), e);
-		let t = u(m, w);
-		n.writeFileSync(r.join(f, "src/app.ts"), t);
+	}])).includeGithubCi) : (P = i.githubCi, P && console.log("Including GitHub CI workflows with semantic versioning")), P && (y(p), b(p))), m === "local") {
+		let e = d(h, E, D, g);
+		n.writeFileSync(r.join(p, "src/seed.ts"), e);
+		let t = f(h, g);
+		n.writeFileSync(r.join(p, "src/app.ts"), t);
+		let i = `# Encryption key for at-rest encryption of sensitive credentials.
+# Generated automatically. Keep this stable and secret — losing it makes
+# existing encrypted data unrecoverable. Use a separate key in production.
+ENCRYPTION_KEY=${s()}
+`;
+		n.writeFileSync(r.join(p, ".env"), i), console.log("🔒 Generated .env with an at-rest encryption key");
 	}
-	if (p === "aws-sst" && h(f, m), T) {
+	if (m === "aws-sst" && _(p, h), E) {
 		let e = {
-			alias: E,
+			alias: D,
 			description: "AuthHero Conformance Test",
 			server: { discoveryUrl: "http://host.docker.internal:3000/.well-known/openid-configuration" },
 			client: {
@@ -888,24 +924,24 @@ o.version("1.0.0").description("Create a new AuthHero project").argument("[proje
 			},
 			resource: { resourceUrl: "http://host.docker.internal:3000/userinfo" }
 		};
-		n.writeFileSync(r.join(f, "conformance-config.json"), JSON.stringify(e, null, 2)), console.log("📝 Created conformance-config.json for OpenID Conformance Suite");
+		n.writeFileSync(r.join(p, "conformance-config.json"), JSON.stringify(e, null, 2)), console.log("📝 Created conformance-config.json for OpenID Conformance Suite");
 	}
-	let P = m ? "multi-tenant" : "single-tenant";
-	console.log(`\n✅ Project "${d}" has been created with ${O.name} (${P}) setup!\n`);
-	let F;
-	if (F = a.skipInstall ? !1 : o ? !0 : (await t.prompt([{
+	let F = h ? "multi-tenant" : "single-tenant";
+	console.log(`\n✅ Project "${c}" has been created with ${k.name} (${F}) setup!\n`);
+	let I;
+	if (I = i.skipInstall ? !1 : o ? !0 : (await t.prompt([{
 		type: "confirm",
 		name: "shouldInstall",
 		message: "Would you like to install dependencies now?",
 		default: !0
-	}])).shouldInstall, F) {
+	}])).shouldInstall, I) {
 		let e;
-		a.packageManager ? ([
+		i.packageManager ? ([
 			"npm",
 			"yarn",
 			"pnpm",
 			"bun"
-		].includes(a.packageManager) || (console.error(`❌ Invalid package manager: ${a.packageManager}`), console.error("Valid options: npm, yarn, pnpm, bun"), process.exit(1)), e = a.packageManager) : e = o ? "pnpm" : (await t.prompt([{
+		].includes(i.packageManager) || (console.error(`❌ Invalid package manager: ${i.packageManager}`), console.error("Valid options: npm, yarn, pnpm, bun"), process.exit(1)), e = i.packageManager) : e = o ? "pnpm" : (await t.prompt([{
 			type: "list",
 			name: "packageManager",
 			message: "Which package manager would you like to use?",
@@ -930,26 +966,26 @@ o.version("1.0.0").description("Create a new AuthHero project").argument("[proje
 			default: "pnpm"
 		}])).packageManager, console.log(`\n📦 Installing dependencies with ${e}...\n`);
 		try {
-			if (await y(e === "pnpm" ? "pnpm install --ignore-workspace" : `${e} install`, f), p === "local" && (console.log("\n🔧 Building native modules...\n"), await y("npm rebuild better-sqlite3", f)), console.log("\n✅ Dependencies installed successfully!\n"), (p === "local" || p === "cloudflare") && !a.skipMigrate) {
+			if (await x(e === "pnpm" ? "pnpm install --ignore-workspace" : `${e} install`, p), m === "local" && (console.log("\n🔧 Building native modules...\n"), await x("npm rebuild better-sqlite3", p)), console.log("\n✅ Dependencies installed successfully!\n"), (m === "local" || m === "cloudflare") && !i.skipMigrate) {
 				let n;
 				n = o ? !0 : (await t.prompt([{
 					type: "confirm",
 					name: "shouldMigrate",
 					message: "Would you like to run database migrations?",
 					default: !0
-				}])).shouldMigrate, n && (console.log("\n🔄 Running migrations...\n"), await y(`${e} run migrate`, f));
+				}])).shouldMigrate, n && (console.log("\n🔄 Running migrations...\n"), await x(`${e} run migrate`, p));
 			}
 			let n;
-			n = a.skipStart || o ? !1 : (await t.prompt([{
+			n = i.skipStart || o ? !1 : (await t.prompt([{
 				type: "confirm",
 				name: "shouldStart",
 				message: "Would you like to start the development server?",
 				default: !0
-			}])).shouldStart, n && (p === "cloudflare" ? x() : p === "aws-sst" ? g() : p === "proxy" ? S() : C(), console.log("🚀 Starting development server...\n"), await y(`${e} run dev`, f)), o && !n && (console.log("\n✅ Setup complete!"), console.log("\nTo start the development server:"), console.log(`  cd ${d}`), console.log("  npm run dev"), p === "cloudflare" ? x() : p === "aws-sst" ? g() : p === "proxy" ? S() : C());
+			}])).shouldStart, n && (m === "cloudflare" ? C() : m === "aws-sst" ? v() : m === "proxy" ? w() : T(), console.log("🚀 Starting development server...\n"), await x(`${e} run dev`, p)), o && !n && (console.log("\n✅ Setup complete!"), console.log("\nTo start the development server:"), console.log(`  cd ${c}`), console.log("  npm run dev"), m === "cloudflare" ? C() : m === "aws-sst" ? v() : m === "proxy" ? w() : T());
 		} catch (e) {
 			console.error("\n❌ An error occurred:", e), process.exit(1);
 		}
 	}
-	F || (console.log("Next steps:"), console.log(`  cd ${d}`), p === "local" ? (console.log("  npm install"), console.log("  npm run migrate"), console.log("  npm run dev"), console.log("\nOpen http://localhost:3000/setup to complete initial setup")) : p === "cloudflare" ? (console.log("  npm install"), console.log("  npm run migrate  # or npm run db:migrate:remote for production"), console.log("  npm run dev  # or npm run dev:remote for production"), console.log("\nOpen https://localhost:3000/setup to complete initial setup")) : p === "aws-sst" ? (console.log("  npm install"), console.log("  npm run dev  # Deploys to AWS in development mode"), console.log("\nOpen your server URL /setup to complete initial setup")) : p === "proxy" && (console.log("  npm install"), console.log("  npm run dev"), console.log("\nEdit src/proxy.config.ts to add hosts and routes")), console.log(`\nServer will be available at: http://localhost:${p === "proxy" ? 8787 : 3e3}`), T && (console.log("\n🧪 OpenID Conformance Suite Testing:"), console.log("  1. Clone and start the conformance suite (if not already running):"), console.log("     git clone https://gitlab.com/openid/conformance-suite.git"), console.log("     cd conformance-suite && mvn clean package"), console.log("     docker-compose up -d"), console.log("  2. Open https://localhost.emobix.co.uk:8443"), console.log("  3. Create a test plan and use conformance-config.json for settings"), console.log(`  4. Use alias: ${E}`)), console.log("\nFor more information, visit: https://authhero.net/docs\n"));
-}), o.parse(process.argv);
+	I || (console.log("Next steps:"), console.log(`  cd ${c}`), m === "local" ? (console.log("  npm install"), console.log("  npm run migrate"), console.log("  npm run dev"), console.log("\nOpen http://localhost:3000/setup to complete initial setup")) : m === "cloudflare" ? (console.log("  npm install"), console.log("  npm run migrate  # or npm run db:migrate:remote for production"), console.log("  npm run dev  # or npm run dev:remote for production"), console.log("\nOpen https://localhost:3000/setup to complete initial setup")) : m === "aws-sst" ? (console.log("  npm install"), console.log("  npm run dev  # Deploys to AWS in development mode"), console.log("\nOpen your server URL /setup to complete initial setup")) : m === "proxy" && (console.log("  npm install"), console.log("  npm run dev"), console.log("\nEdit src/proxy.config.ts to add hosts and routes")), console.log(`\nServer will be available at: http://localhost:${m === "proxy" ? 8787 : 3e3}`), E && (console.log("\n🧪 OpenID Conformance Suite Testing:"), console.log("  1. Clone and start the conformance suite (if not already running):"), console.log("     git clone https://gitlab.com/openid/conformance-suite.git"), console.log("     cd conformance-suite && mvn clean package"), console.log("     docker-compose up -d"), console.log("  2. Open https://localhost.emobix.co.uk:8443"), console.log("  3. Create a test plan and use conformance-config.json for settings"), console.log(`  4. Use alias: ${D}`)), console.log("\nFor more information, visit: https://authhero.net/docs\n"));
+}), c.parse(process.argv);
 //#endregion

package/dist/local/README.md

@@ -47,4 +47,26 @@ You can customize the AuthHero configuration in `src/app.ts`. Common options inc
 - Custom email templates
 - Session configuration
 
+## Encryption at rest
+
+Sensitive credential fields (client secrets, connection secrets, email
+credentials, TOTP secrets, migration-source secrets) are encrypted at rest.
+A random `ENCRYPTION_KEY` was generated into `.env` when this project was
+created, and the dev/seed scripts load it via `--env-file=.env`.
+
+> **The key is load-bearing.** If you delete, rotate, or lose `ENCRYPTION_KEY`,
+> any values already encrypted with it become unreadable. In local dev you can
+> recover by deleting `db.sqlite` and re-running `npm run migrate && npm run seed`.
+> In production, treat the key as a long-lived secret and back it up.
+
+For production, set your own `ENCRYPTION_KEY` in the deployment environment
+rather than reusing the generated dev key.
+
+Helper scripts:
+
+```bash
+npm run gen:key                   # print a fresh base64 key
+npm run decrypt -- "enc:v1:..."   # decrypt a stored value using ENCRYPTION_KEY from .env
+```
+
 For more information, visit [https://authhero.net/docs](https://authhero.net/docs).

package/dist/local/scripts/decrypt-field.mjs

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+import { loadEncryptionKey, decryptField } from "authhero";
+
+// Decrypt a stored field value using ENCRYPTION_KEY from the environment.
+// Usage: node --env-file=.env scripts/decrypt-field.mjs "enc:v1:..."
+// Values without the enc:v1: prefix (legacy plaintext) are printed unchanged.
+const value = process.argv[2];
+
+if (!value) {
+  console.error(
+    'Usage: node --env-file=<env> scripts/decrypt-field.mjs "<value>"',
+  );
+  process.exit(1);
+}
+
+const keyB64 = process.env.ENCRYPTION_KEY;
+if (!keyB64) {
+  console.error(
+    "ENCRYPTION_KEY is not set. Pass it via --env-file or the environment.",
+  );
+  process.exit(1);
+}
+
+try {
+  const key = await loadEncryptionKey(keyB64);
+  console.log(await decryptField(value, key));
+} catch (error) {
+  console.error(
+    "Failed to decrypt:",
+    error instanceof Error ? error.message : error,
+  );
+  process.exit(1);
+}

package/dist/local/scripts/generate-encryption-key.mjs

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+import crypto from "node:crypto";
+
+// Print a fresh base64-encoded 32-byte (AES-256) key suitable for
+// ENCRYPTION_KEY. Copy the output into your env file (.env / .dev.vars) or set
+// it as a production secret.
+console.log(crypto.randomBytes(32).toString("base64"));

package/dist/local/src/index.ts

@@ -3,6 +3,7 @@ import { SqliteDialect } from "kysely";
 import { Kysely } from "kysely";
 import Database from "better-sqlite3";
 import createAdapters from "@authhero/kysely-adapter";
+import { createEncryptedDataAdapter, loadEncryptionKey } from "authhero";
 import createApp from "./app";
 import fs from "fs";
 import path from "path";
@@ -102,7 +103,14 @@ try {
   process.exit(1);
 }
 
-const dataAdapter = createAdapters(db);
+let dataAdapter = createAdapters(db);
+
+// Encrypt sensitive credential fields at rest when ENCRYPTION_KEY is set
+// (generated into .env at scaffold time). Without it, behavior is unchanged.
+if (process.env.ENCRYPTION_KEY) {
+  const encryptionKey = await loadEncryptionKey(process.env.ENCRYPTION_KEY);
+  dataAdapter = createEncryptedDataAdapter(dataAdapter, encryptionKey);
+}
 
 // Create the AuthHero app
 const app = createApp({

package/dist/proxy/README.md

@@ -2,7 +2,9 @@
 
 A Cloudflare Worker that proxies incoming requests to upstream services based on the request's `Host` header. Built on [@authhero/proxy](https://www.npmjs.com/package/@authhero/proxy).
 
-## Configure your routes
+This template ships with a static, in-file config so you can run it immediately. For production you'll typically swap that adapter for one that reads routes from your authhero deployment — see [Data sources](#data-sources) below.
+
+## Configure your routes (default)
 
 Edit [src/proxy.config.ts](src/proxy.config.ts) to map each public hostname to one or more upstream routes. Path patterns support `*` and `:param` segments, and routes are matched in priority order (lower wins).
 
@@ -23,6 +25,111 @@ export const proxyConfig: StaticProxyAdapterOptions = {
 };
 ```
 
+## Data sources
+
+The proxy reads its routes through a `ProxyDataAdapter`. Three implementations are common:
+
+| Adapter | Best for | Notes |
+| --- | --- | --- |
+| **Static** (default) | Local dev, small fixed deployments | Routes baked into the worker bundle; re-deploy to change them. |
+| **Database** | Same-process or co-located deployments | Reads directly from the proxy_routes table that authhero writes to. |
+| **HTTP / management API** | Geographically distributed proxies, hosted Workers | Calls `/api/v2/proxy-routes` on your authhero server with a service token. |
+
+The authhero server exposes the management API (`/api/v2/proxy-routes`) and creates the underlying table automatically once the standard adapter migrations have run — see the `local` template's [src/index.ts](../local/src/index.ts).
+
+### Database-backed (Kysely)
+
+Add the adapter and your Kysely driver, then swap the data line:
+
+```bash
+npm install @authhero/kysely-adapter kysely
+```
+
+```ts
+import { Kysely } from "kysely";
+import { createProxyApp } from "@authhero/proxy";
+import { createProxyDataAdapter } from "@authhero/kysely-adapter";
+
+const db = new Kysely({ dialect: /* your dialect */ });
+const app = createProxyApp({
+  data: createProxyDataAdapter(db),
+});
+```
+
+Cloudflare Workers can't open SQLite files, so on Workers this path means D1, Hyperdrive, or a remote MySQL/Postgres. For a local Node process, `better-sqlite3` pointing at the same `db.sqlite` your authhero server uses works out of the box.
+
+### HTTP-backed (management API)
+
+The proxy authenticates to authhero's management API with a service token. Issue the token from authhero with the scopes `read:proxy_routes` and `read:custom_domains`, then store it as a worker secret:
+
+```bash
+wrangler secret put AUTHHERO_SERVICE_TOKEN
+```
+
+`wrangler.toml` vars:
+
+```toml
+[vars]
+AUTHHERO_API_URL = "https://auth.example.com"
+AUTHHERO_TENANT_ID = "example"
+```
+
+Then build an adapter that resolves the host via `/api/v2/custom-domains` and the routes via `/api/v2/proxy-routes`:
+
+```ts
+import type { ProxyDataAdapter, ResolvedHost } from "@authhero/proxy";
+
+interface Env {
+  AUTHHERO_API_URL: string;
+  AUTHHERO_TENANT_ID: string;
+  AUTHHERO_SERVICE_TOKEN: string;
+}
+
+function createHttpProxyAdapter(env: Env): ProxyDataAdapter {
+  const headers = {
+    "authorization": `Bearer ${env.AUTHHERO_SERVICE_TOKEN}`,
+    "tenant-id": env.AUTHHERO_TENANT_ID,
+  };
+
+  async function api<T>(path: string): Promise<T> {
+    const res = await fetch(`${env.AUTHHERO_API_URL}${path}`, { headers });
+    if (!res.ok) throw new Error(`${path}: ${res.status}`);
+    return res.json() as Promise<T>;
+  }
+
+  return {
+    // The proxy data plane only needs resolveHost; the CRUD methods on
+    // proxyRoutes stay unused (writes always go through authhero directly).
+    proxyRoutes: {
+      list: () => { throw new Error("read-only proxy adapter"); },
+      get: () => { throw new Error("read-only proxy adapter"); },
+      create: () => { throw new Error("read-only proxy adapter"); },
+      update: () => { throw new Error("read-only proxy adapter"); },
+      remove: () => { throw new Error("read-only proxy adapter"); },
+    },
+    async resolveHost(host): Promise<ResolvedHost | null> {
+      const domains = await api<{ custom_domains: Array<{
+        custom_domain_id: string; domain: string;
+      }> }>("/api/v2/custom-domains");
+      const match = domains.custom_domains.find((d) => d.domain === host);
+      if (!match) return null;
+
+      const routes = await api<{ proxy_routes: unknown[] }>(
+        `/api/v2/proxy-routes?custom_domain_id=${match.custom_domain_id}&per_page=200`,
+      );
+      return {
+        tenant_id: env.AUTHHERO_TENANT_ID,
+        custom_domain_id: match.custom_domain_id,
+        domain: host,
+        routes: routes.proxy_routes as ResolvedHost["routes"],
+      };
+    },
+  };
+}
+```
+
+Cache aggressively (see below) — every cold cache miss is two API round-trips.
+
 ## Caching
 
 Resolved hosts are cached in-memory per Worker isolate with a stale-while-revalidate strategy:
@@ -31,7 +138,7 @@ Resolved hosts are cached in-memory per Worker isolate with a stale-while-revali
 - **Stale** for the next hour — served from cache while a background refresh runs.
 - **Negative** (host not found) — cached for 30 seconds so newly-added hosts come online quickly.
 
-For the static adapter the "refresh" is just a re-read of the in-memory config, so the SWR window mainly matters when you swap to an HTTP- or database-backed adapter.
+For the static adapter the "refresh" is just a re-read of the in-memory config, so the SWR window mainly matters when you swap to the HTTP- or database-backed adapter.
 
 ## Develop locally
 

package/dist/proxy/src/proxy.config.ts

@@ -2,7 +2,11 @@ import type { StaticProxyAdapterOptions } from "@authhero/proxy";
 
 // Map each public hostname to the routes the proxy should serve for it.
 // Routes are matched in priority order (lower priority wins). The path
-// pattern supports `*` and `:param` segments.
+// pattern in `match.path` supports `*` and `:param` segments (Hono syntax).
+//
+// Each route is an ordered list of handlers. The last handler is the
+// terminal — it produces the response (e.g. `http`, `redirect`, `static`,
+// `service_binding`). Earlier handlers wrap it, like Hono middleware.
 //
 // Edit this file to add your hosts, then re-deploy.
 export const proxyConfig: StaticProxyAdapterOptions = {
@@ -11,10 +15,16 @@ export const proxyConfig: StaticProxyAdapterOptions = {
       tenant_id: "example",
       routes: [
         {
-          path_pattern: "/*",
-          upstream_type: "http",
-          upstream_url: "https://upstream.example.com",
-          preserve_host: false,
+          match: { path: "/*" },
+          handlers: [
+            {
+              type: "http",
+              options: {
+                upstream_url: "https://upstream.example.com",
+                preserve_host: false,
+              },
+            },
+          ],
         },
       ],
     },

package/package.json

@@ -5,7 +5,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "0.43.0",
+  "version": "0.45.0",
   "type": "module",
   "main": "dist/create-authhero.js",
   "bin": {