How does Traceable store your credentials for AST authentication?

Traceable securely handles the credentials you use for AST authentication hooks through encryption and safe transmission protocols. This handling is based on how the hook is created or retrieved:

When the hook is created from the Traceable platform — Your credentials are transmitted using a secure channel, encrypted, and then stored in the Traceable database.
When the hook is retrieved using the CLI — Traceable decrypts the credentials and transmits them to the CLI using a gRPC channel securely.

Traceable uses hybrid encryption models that combine both symmetric and asymmetric encryption to ensure security. The following table highlights the purpose and usage of these encryption methods:

Encryption	Purpose	Usage
Symmetric (AES)	Fast encryption and decryption	Encrypting sensitive data payloads
Asymmetric (RSA)	Secure key exchange	Encrypting the AES key

The keys encrypted using the above methods are stored in secure vaults that follow industry-standard best practices.

Note
If you use a custom authentication hook written in Python, Traceable does not store your credentials. You can fetch the tokens dynamically, for example, by reading environment variables from the runner, container, or virtual machine.

Why is the number of scanned APIs shown in Suites different from Replay’s stored APIs in the Environment Config?

This difference can occur due to multiple reasons:

Scan in Progress — If the scan is still running, the number of scanned APIs is updated as tests are executed and uploaded. Traceable recommends that you refer to the scan results post-completion.
Asset Selection Filters — Custom filters applied during suite creation, such as include/exclude rules for APIs, domains, services, or labels may have resulted in some APIs getting skipped.
Recently Added APIs — APIs discovered post-scan start are not included in the current scan.
Inactive APIs — APIs that have not received any traffic in the past 15 days (default, but configurable) are marked as inactive and are removed from the environment configuration. You can check the last seen trace timestamps for stored APIs by navigating to Testing → Environment Config, and clicking the number of Stored APIs corresponding to the respective environment.
Unsupported API Types — Traceable only supports REST, GraphQL, and gRPC APIs for scans.

product

personas

learn

company