How your API keys are stored
Provider keys and channel tokens are stored encrypted in a vault scoped to your account only.
What this is
Beach uses a "bring your own key" model — you paste in your own AI provider keys (Anthropic, OpenAI, Google, OpenRouter) and channel tokens (like Telegram). This page explains where those secrets actually live and who can read them.
Where they're stored
Your keys and tokens are stored in an encrypted vault. They're never written to disk in plain text and never sent to anyone else.
Each user has their own scoped permissions. Only your own server can read your secrets. Even if another customer's server somehow tried to access your vault, the cloud provider would refuse — the permissions are scoped to your account only.
Can Beach the company read your keys?
No. Beach engineers don't and can't read your keys.
The keys sit in the encrypted vault, and your server loads them into memory when it starts up. There's no admin tool, internal dashboard, or support workflow that exposes the contents of your keys to Beach staff. If you ever lose a key, you'll need to retrieve it (or generate a new one) from the provider that issued it — Beach can't show it to you.
Updating a key
When you update a key in Beach Settings, the change takes effect immediately. The new value overwrites the old one in the vault, and your server picks up the new key. The previous value is gone — there's no version history or fallback to an older key.
If your key was compromised, rotating it in Beach is enough to stop the old one from being used by your agent. (You should also revoke it in the provider's dashboard so it can't be used elsewhere.)