2025 Growth Unified Hits Major Growth Milestones with 6.5x usage & 4.5x revenue growth
Unified.to
All articles

Credential Management in Unified: Bring Your Own Secrets Manager

January 30, 2026

Credential management is one of the most sensitive parts of integration infrastructure. OAuth tokens, API keys, and refresh logic determine not just whether integrations work, but who controls access, how failures are handled, and where risk lives.

Unified's approach to credential management is intentionally narrow and explicit:

  • Unified manages token lifecycle and integration behavior.
  • Customers control where credentials are stored.

This post explains how credential management works in Unified, why credential ownership matters, and how Unified supports customer-managed secrets managers today.

Credential Management in Unified

Unified handles authorization and credentials across all supported integrations, including OAuth-based platforms and API-key systems.

At a high level, Unified is responsible for:

  • Exchanging credentials during authorization
  • Tracking token expiration
  • Refreshing access and refresh tokens automatically
  • Handling provider-specific OAuth behavior
  • Isolating credentials per customer connection

Applications integrating with Unified do not manage token refresh jobs, background schedulers, or provider-specific edge cases. Unified abstracts that complexity and exposes connection health consistently.

Where Unified is deliberately flexible is credential storage.

Unified-Managed Credential Storage (Default)

By default, Unified can store OAuth tokens and API credentials encrypted within its infrastructure.

In this model:

  • Credentials are encrypted at rest (AES-256)
  • All data in transit uses TLS 1.2+
  • Token expiration and refresh are handled automatically
  • Applications never interact with raw credentials
  • Failed refreshes surface a consistent 401 and mark the connection unhealthy

This option works well for many teams, especially those optimizing for speed and simplicity.

However, some teams require tighter control over where credentials live.

Customer-Managed Secrets: Bring Your Own Vault

Unified also supports storing credentials entirely inside customer-owned secrets infrastructure, rather than Unified's database.

Unified currently integrates with:

  • AWS Secrets Manager
  • Azure Key Vault
  • Google Cloud Secrets Manager
  • HashiCorp Vault

When customer-managed secrets are enabled:

  • OAuth tokens and API credentials are stored in your cloud account
  • Unified accesses credentials only when required to make API calls or refresh tokens
  • Credentials are not persisted in Unified's core data store
  • Token refresh and lifecycle management remain fully automated

Unified continues to manage behavior and reliability.

Customers retain ownership and control of the vault.

What This Changes — and What It Doesn't

What changes

  • Credentials live inside your existing security boundary
  • Vault access follows your IAM and security policies
  • Environments can be isolated (production vs staging)
  • Security reviews and procurement are simplified
  • Credential portability is preserved

What doesn't change

  • Unified does not store customer data
  • OAuth flows and provider requirements remain the same
  • No caching or persistence is introduced
  • Applications do not manage refresh logic

This is a change in ownership, not architecture.

Token Lifecycle and Failure Handling

Regardless of where credentials are stored, Unified continues to handle:

  • Expiration tracking
  • Automatic access and refresh token rotation
  • Provider-specific OAuth behavior
  • Connection health monitoring

If a refresh fails:

  • The connection is flagged as unhealthy
  • API calls return a consistent 401
  • A connection health event is emitted so applications can respond

From the application's perspective, integration behavior is unchanged.

From a security perspective, responsibility is clearer.

Why Credential Ownership Matters

For many teams, vendor-managed encrypted storage is sufficient.

For others, it's a blocker.

Teams operating in regulated or enterprise environments consistently require:

  • Credentials to live in their cloud
  • Vault access governed by internal IAM policies
  • Clear separation between environments
  • Long-term portability and reduced vendor lock-in

Customer-managed secrets exist to meet those requirements without changing how Unified operates.

How This Fits Unified's Architecture

Unified is a real-time, passthrough integration platform:

  • Customer data is fetched live from source systems
  • Nothing is cached or stored at rest
  • Logs are minimized and redacted
  • Operational metadata is encrypted
  • Credential handling is isolated per connection

Allowing customers to own their credential vault is a direct extension of that model.

Unified avoids storing what it doesn't need to store — data or secrets.

Who This Is For

Customer-managed secrets are most relevant for teams that:

  • Serve enterprise customers
  • Undergo SOC 2, HIPAA, or GDPR reviews
  • Have internal security or platform teams
  • Operate multi-cloud or standardized vault infrastructure
  • Want clean exit paths and minimal vendor lock-in

Unified-managed encrypted storage remains available for teams that don't need this level of control.

This is about choice, not added complexity.

A Clear Security Boundary

Unified doesn't try to be a database, a vault, or a security platform.

We focus on being real-time integration infrastructure — and on owning only what we need to own.

Credential management is unavoidable.

Credential ownership is optional.

With customer-managed Secrets Manager support, that boundary is now explicit.

Start a free trial or talk to us to see your real-time use case live.

All articles