◈ SecuriX

Technical Architecture

Understanding the AASB proxy flow and system design

The AASB Proxy Flow

The data flow shifts from a direct, unmonitored connection to a brokered bridge:

Dev App/Agent (using apiKey & entityId) → Securix AASB Proxy (checks rules/injects token) → Provider API (Google/Notion)

Data Flow Steps

  1. Auth Initiation: Developer calls Securix.auth.createSession({ entityId, providers, flow }) with their apiKey and the user's entityId.
  2. Redirection: The user is sent to the authUrl returned by the SDK, where Securix handles the official OAuth handshake.
  3. Token Abstraction: Securix vaults the real Provider Token. The developer never touches it; all access is managed via the apiKey and entityId pair.
  4. API Usage: The developer uses an official provider SDK (e.g., googleapis) but overrides the base URL to provider.api.securix.app.
  5. Brokered Proxying: Securix intercepts the request, validates the securix-api-key, securix-entity-id and securix-agent-id headers, injects the real provider token, and forwards it to the service.

Core Components

Token Vault

Securix maintains a secure, encrypted vault for all provider tokens. Raw OAuth tokens (access tokens and refresh tokens) are never exposed to the developer.

  • Encryption: All tokens are encrypted at rest using AES-256
  • Zero-Knowledge: Developers never see or handle raw tokens
  • Automatic Rotation: Tokens are automatically refreshed as needed

Proxy Layer

The AASB Proxy intercepts all API requests between the developer's application and the external service provider.

  • Token Injection: Adds the real token to outgoing requests
  • Rule Validation: Checks user-defined filters before forwarding
  • Request Modification: Can modify request parameters based on virtual scopes

Rule Engine

User-defined permissions are enforced at the proxy level:

  • Folder-level Redaction: Hide specific directories or folders
  • Permission Modes: Read-only, write, delete restrictions
  • Virtual Scopes: Enable/disable specific API capabilities

Security Principles

Zero-Trust Architecture

We use a "Double-Blind" token system:

  • Developer Side: Receives a Securix Token to access data
  • Provider Side: Securix keeps the raw Google/Microsoft tokens in secure vault
  • No Trust Assumption: Every request is validated and logged

Isolation

  • Each credential is isolated with its own namespace
  • Cross-tenant access is prevented at the infrastructure level
  • Audit logs are immutable and retained for compliance

Overview

How Securix works - at a glance

The AASB Framework

Understanding the Agent Access Security Broker architecture

On this page

The AASB Proxy FlowData Flow StepsCore ComponentsToken VaultProxy LayerRule EngineSecurity PrinciplesZero-Trust ArchitectureIsolation