# @memberjunction/credentials
Secure credential management engine for MemberJunction. Provides centralized storage, retrieval, validation, and audit logging of credentials with automatic field-level encryption and JSON Schema validation.
## Overview
The `@memberjunction/credentials` package manages the full credential lifecycle: storing encrypted values, resolving credentials by name or ID, validating against JSON Schema constraints, and logging every access for audit compliance.
```mermaid
graph TD
A["CredentialEngine
(Singleton)"] --> B["Credential Types
(Schema Definitions)"]
A --> C["Credentials
(Encrypted Values)"]
A --> D["Credential Categories
(Organization)"]
A --> E["Audit Log
(Access Tracking)"]
A --> F["Ajv Validator
(JSON Schema)"]
G["Consumer Code"] --> A
G -->|"getCredential()"| H["ResolvedCredential"]
G -->|"storeCredential()"| C
G -->|"validateCredential()"| I["ValidationResult"]
style A fill:#2d6a9f,stroke:#1a4971,color:#fff
style B fill:#7c5295,stroke:#563a6b,color:#fff
style C fill:#2d8659,stroke:#1a5c3a,color:#fff
style D fill:#b8762f,stroke:#8a5722,color:#fff
style E fill:#b8762f,stroke:#8a5722,color:#fff
style F fill:#7c5295,stroke:#563a6b,color:#fff
style H fill:#2d8659,stroke:#1a5c3a,color:#fff
style I fill:#2d8659,stroke:#1a5c3a,color:#fff
```
## Installation
```bash
npm install @memberjunction/credentials
```
## Quick Start
```typescript
import { CredentialEngine, APIKeyCredentialValues } from '@memberjunction/credentials';
// Initialize at application startup
await CredentialEngine.Instance.Config(false, contextUser);
// Retrieve a credential with typed values
const cred = await CredentialEngine.Instance.getCredential(
'OpenAI',
{ contextUser, subsystem: 'AIService' }
);
// Use the decrypted values
console.log(cred.values.apiKey); // Strongly typed as string
```
## Credential Resolution
```mermaid
flowchart TD
A["getCredential(name, options)"] --> B{directValues
provided?}
B -->|Yes| C["Return direct values
source: request"]
B -->|No| D{credentialId
provided?}
D -->|Yes| E["Lookup by ID"]
D -->|No| F["Lookup by name"]
E --> G["Parse & return values
source: database"]
F --> G
G --> H["Log access to Audit Log"]
H --> I["Update LastUsedAt"]
style A fill:#2d6a9f,stroke:#1a4971,color:#fff
style C fill:#2d8659,stroke:#1a5c3a,color:#fff
style G fill:#2d8659,stroke:#1a5c3a,color:#fff
style H fill:#b8762f,stroke:#8a5722,color:#fff
```
Resolution priority:
1. **Direct values** -- `directValues` in options (bypasses database, useful for testing)
2. **By ID** -- `credentialId` in options (specific credential lookup)
3. **By name** -- The `credentialName` parameter (most common usage)
## Pre-defined Credential Types
| Type | Interface | Fields |
|------|-----------|--------|
| API Key | `APIKeyCredentialValues` | `apiKey` |
| API Key with Endpoint | `APIKeyWithEndpointCredentialValues` | `apiKey`, `endpoint` |
| OAuth2 Client Credentials | `OAuth2ClientCredentialValues` | `clientId`, `clientSecret`, `tokenUrl`, `scope` |
| Basic Auth | `BasicAuthCredentialValues` | `username`, `password` |
| Azure Service Principal | `AzureServicePrincipalCredentialValues` | `tenantId`, `clientId`, `clientSecret` |
| AWS IAM | `AWSIAMCredentialValues` | `accessKeyId`, `secretAccessKey`, `region` |
| Database Connection | `DatabaseConnectionCredentialValues` | `host`, `port`, `database`, `username`, `password` |
| Twilio | `TwilioCredentialValues` | `accountSid`, `authToken` |
## Storing Credentials
```typescript
const credential = await CredentialEngine.Instance.storeCredential(
'API Key', // Credential type name
'OpenAI Production', // Credential name
{ apiKey: 'sk-...' }, // Values (encrypted on save)
{
isDefault: true,
description: 'Production OpenAI API key',
expiresAt: new Date('2025-12-31')
},
contextUser
);
```
## JSON Schema Validation
The engine validates credential values against the `FieldSchema` defined on each Credential Type using Ajv. Supported constraints include `required`, `const`, `enum`, `format`, `pattern`, `minLength`/`maxLength`, and `minimum`/`maximum`.
Default and const values are auto-populated before validation, and validation errors produce clear, human-readable messages.
## Audit Logging
Every credential operation (Decrypt, Create, Update, Validate) is logged to the Audit Logs entity with:
- User who performed the operation
- Subsystem that requested access
- Success or failure status
- Duration in milliseconds
## Security
- **Encryption at rest** -- The `Values` field uses MJ field-level encryption
- **Audit trail** -- All access logged including failed attempts
- **Access control** -- Entity-level permissions enforced via `contextUser`
- **Expiration support** -- `ExpiresAt` field enforces credential rotation
## Dependencies
| Package | Purpose |
|---------|---------|
| `@memberjunction/core` | Base engine, metadata, entity system |
| `@memberjunction/global` | Global state management |
| `@memberjunction/core-entities` | Credential entity types |
| `ajv` | JSON Schema validation |
| `ajv-formats` | Format validators (uri, email, date) |
## License
ISC