Key Isolation
Key isolation is the mechanism that lets Volidator’s dashboard server serve your encrypted logs to a browser without ever receiving the decryption key.
The URL hash fragment
Section titled “The URL hash fragment”The embed URL for the dashboard widget looks like this:
https://dash.volidator.com/embed/{jwt_token}#{encryption_key}Everything after the # is the hash fragment. Browsers follow RFC 7230 and RFC 7231: the hash fragment is never included in HTTP requests. When the browser loads this URL, it sends:
GET /embed/{jwt_token} HTTP/1.1Host: dash.volidator.comThe #{encryption_key} part is processed only by client-side JavaScript using window.location.hash. It is never transmitted to the server.
What the dashboard server sees
Section titled “What the dashboard server sees”The dashboard server receives the JWT token and uses it to:
- Verify the token signature against the project’s
clientSecret. - Extract the actor’s blind index from the token payload.
- Query the D1 database for encrypted log rows matching that blind index.
- Return the ciphertext rows as JSON.
At no point does the server see or store the decryption key.
Decryption in the browser
Section titled “Decryption in the browser”The browser’s LogTableClient component reads window.location.hash on mount, strips the leading #, and uses the Web Crypto API to decrypt each row:
const key = await crypto.subtle.importKey( 'raw', sha256(window.location.hash.slice(1)), { name: 'AES-GCM' }, false, ['decrypt'],);The IV is the first 12 bytes of each ciphertext row (prepended by the SDK at log time).
Security properties
Section titled “Security properties”- If Volidator’s server is compromised, the attacker gets ciphertext and no key.
- If the embed URL is intercepted in transit (e.g. in a proxy log), the hash fragment is not present in the HTTP request, so the key is not exposed.
- The key is exposed if the full URL (including fragment) is leaked through copy-paste, browser history sharing, or an insecure referrer header. Treat embed URLs as secrets.
Related
Section titled “Related”- Embedding the Dashboard — how to generate the embed URL and iframe
- generateEmbedToken() — reference for the server-side token generator