The Root of Encryption
Every Encrypted Operation in Arch Traces Back Here
The Foundation Other Services Depend On
The Keys Api is a root service — it has no dependency on any other Arch API.
Other services depend on it.
The Users Api stores per-user encryption keys in the Keys Api, enabling Arch's zero-knowledge authentication architecture.
Any custom microservice that needs to store sensitive credentials, rotate connection strings, or maintain encryption material across restarts uses the Keys Api to do so.
Platform Encryption
Per-user encryption keys generated by the Users Api are stored in the Keys Api.
This is how Arch achieves zero-knowledge user data protection at the platform level — the Keys Api is the silent partner in every encrypted user record across the system.
Application Encryption
Your custom microservices store their own secrets in the Keys Api — database credentials, third-party API keys, certificates, and anything else that must survive restarts without appearing in configuration files.
The structure is the same. The isolation is the same.
A High-Value Asset Treated as One
Because the Keys Api holds the secrets that protect the rest of the system, it warrants dedicated attention in your deployment architecture.
Deploy it behind strict network segmentation and restrict access to services that explicitly require it.
The Keys Api protects everything placed in its care — your deployment model should protect the Keys Api itself.