Encryption, Session, and Transaction Management

A robust security framework is paramount in an agentic commerce ecosystem. Xano serves as the cornerstone of this framework, providing comprehensive capabilities for encryption, session management, and transaction integrity.

Data Encryption

Xano provides a multi-layered approach to data encryption, ensuring that sensitive information is protected at all times.

Encryption at Rest

All data stored in the Xano PostgreSQL database is encrypted at rest using industry-standard AES-256 encryption. This ensures that even if physical storage media is compromised, the data remains unreadable without the proper encryption keys.

Encryption in Transit

All communication between the AI Agent Platform, Xano, and external services (like payment gateways) is encrypted using TLS 1.2 or higher. This protects data as it travels across networks, preventing man-in-the-middle attacks and eavesdropping.

Field-Level Encryption

Xano's built-in cryptography library is used to encrypt sensitive fields in the database, such as:

  • User credentials
  • API keys
  • Payment token information
  • Personally Identifiable Information (PII)

This provides an additional layer of security, ensuring that even if the database is compromised, the sensitive data remains protected.

Session Management with JWE/JWS

User sessions are managed using a stateless authentication mechanism based on JSON Web Encryption (JWE) and JSON Web Signature (JWS) tokens. This approach is highly secure and scalable, making it ideal for a distributed, agent-based architecture.

Session Management Flow

  1. Authentication: When a user logs in, Xano generates a JWE token. This token contains an encrypted payload with the user's ID, role, and other session-specific data

  2. Token Transmission: The JWE token is sent to the AI Agent Platform, which stores it securely

  3. Authenticated Requests: For every subsequent request to Xano, the agent includes the JWE token in the Authorization header

  4. Token Validation: Xano decrypts and validates the token, ensuring its integrity and authenticity. If the token is valid, the request is processed

  5. Session Expiration: JWE tokens have a defined expiration time, after which the user must re-authenticate

Benefits of JWE/JWS

  • Stateless: No server-side session storage required
  • Scalable: Works seamlessly across distributed systems
  • Secure: Encrypted payload prevents tampering
  • Compact: Efficient for transmission in HTTP headers

Transaction Management

Ensuring transaction integrity is crucial, especially in an automated, agent-driven environment. Xano's database capabilities, combined with custom business logic, manage transactions and prevent common issues like duplicate processing.

ACID Compliance

The underlying PostgreSQL database in Xano is ACID compliant, guaranteeing:

  • Atomicity: Transactions are all-or-nothing
  • Consistency: Database remains in a valid state
  • Isolation: Concurrent transactions don't interfere
  • Durability: Committed transactions persist

User Data as Source of Truth

User data is treated as a dynamically tagged collection, shared across the Model-View-Controller (MVC) architecture of Webflow, Shopify, and Xano. Both Xano and Shopify are considered AI-enabled Sources of Trust for user data, secured with Keyed JWE ID tokens.

User consent for data processing and transactions is managed through User Data Consent History JWE. These cryptographically signed records provide:

  • Immutable audit trail of consent changes
  • Timestamp and version tracking
  • Legal compliance for GDPR and similar regulations
  • Integration with UCP session and user history

Next: Idempotency Map →