Token vault

The token vault is where Robnu keeps your marketplace session tokens. Not your password — your password never leaves your browser (the Chrome extension handles the handshake locally).

Each seller gets their own Data Encryption Key (DEK), sealed in AWS KMS. Tokens are encrypted at rest with the DEK; the DEK itself is encrypted with the KMS master key. To decrypt a token, Robnu has to call KMS, and KMS logs every call.

This means a database breach alone doesn't leak credentials. An attacker would need both the encrypted database AND the ability to call KMS — and KMS access is logged separately, so a leak of that magnitude would be loud.