# Documentation - [Glossary](/docs/glossary): Definitions of concepts and terms used in CipherStash - [CipherStash Documentation](/docs): The data security stack designed for devs - [Planning guide](/docs/planning-guide): Technical planning guide for adopting CipherStash encryption-in-use in your application - [Supported solutions](/docs/supported-solutions): Integration options, supported databases, and performance characteristics for CipherStash encryption - [API reference](/docs/encryption/api-reference): Complete API reference for the CipherStash Encryption SDK - [Bundling](/docs/encryption/bundling): Configure webpack, esbuild, Next.js, and other build tools to work with @cipherstash/stack - [Configuration](/docs/encryption/configuration): Configure the SDK with environment variables, TOML files, or programmatically - [Drizzle ORM](/docs/encryption/drizzle): Query encrypted data with Drizzle ORM using type-safe encrypted column definitions and operators - [DynamoDB](/docs/encryption/dynamodb): Encrypt and decrypt DynamoDB items with the encryptedDynamoDB helper - [Encrypt and decrypt](/docs/encryption/encrypt-decrypt): Encrypt and decrypt single values, models, and bulk operations - [Error handling](/docs/encryption/error-handling): Handle errors with the Result pattern used across the SDK - [Getting started](/docs/encryption/getting-started): Install the SDK and encrypt your first value in under 5 minutes - [Identity-aware encryption](/docs/encryption/identity): Tie encryption to a user's JWT so only that user can decrypt their data - [Encryption](/docs/encryption): Field-level encryption with searchable queries, powered by ZeroKMS - [Migration guide](/docs/encryption/migration): Migrate from @cipherstash/protect to @cipherstash/stack - [Schema definition](/docs/encryption/schema): Define which columns to encrypt, what queries to support, and how to handle nested objects - [Searchable encryption](/docs/encryption/searchable-encryption): Run equality, free-text, range, and JSON queries on encrypted data in PostgreSQL - [SST](/docs/encryption/sst): Configure SST and serverless functions to work with @cipherstash/stack - [Storing encrypted data](/docs/encryption/storing-data): Store and retrieve encrypted data in PostgreSQL and other databases using the Encryption SDK - [Supabase](/docs/encryption/supabase): Encrypt and search data with the Supabase SDK using the encryptedSupabase wrapper - [Testing](/docs/encryption/testing): Test applications that use @cipherstash/stack encryption - [Troubleshooting](/docs/encryption/troubleshooting): Common issues and fixes for @cipherstash/stack - [Access keys](/docs/kms/access-keys): Create and manage access keys for programmatic access to CipherStash services - [Clients](/docs/kms/clients): Create and manage clients used by SDKs and Proxy - [Configuration](/docs/kms/configuration): Configure ZeroKMS credentials and options - [CipherStash Token Service (CTS)](/docs/kms/cts): Authentication and identity federation service for accessing CipherStash services like ZeroKMS - [Disaster recovery](/docs/kms/disaster-recovery): How ZeroKMS protects your encrypted data with robust disaster recovery capabilities - [KMS](/docs/kms): Key management with ZeroKMS, backed by AWS KMS - [Keysets](/docs/kms/keysets): Isolate encryption keys per tenant with multi-tenant keysets - [Regions](/docs/kms/regions): Each workspace is tied to a specific region, and is deployed in that region's ZeroKMS instance - [CipherStash vs AWS KMS](/docs/platform/aws-kms-comparison): A side-by-side comparison of CipherStash Encryption and AWS KMS for application-level encryption - [Billing](/docs/platform/billing): Manage workspace billing, plans, and usage limits - [The CipherCell](/docs/platform/cipher-cell): The CipherStash format for encrypted data with searchable encrypted metadata - [Compliance](/docs/platform/compliance): Compliance frameworks, data residency, and audit capabilities in CipherStash - [Encrypt Query Language (EQL)](/docs/platform/eql): PostgreSQL types, operators, and functions for querying encrypted data - [Platform](/docs/platform): Dashboard, workspaces, organization management, and core concepts - [Members](/docs/platform/members): Manage organization members and workspace memberships - [Searchable encryption](/docs/platform/searchable-encryption): How CipherStash enables querying encrypted data without decryption — theory, architecture, and security model - [Security architecture](/docs/platform/security-architecture): Cryptographic primitives, key hierarchy, trust model, and data flow in CipherStash - [Supported queries](/docs/platform/supported-queries): Searchable encryption index types and the query operations they enable on encrypted data - [What is CipherStash?](/docs/platform/what-is-cipherstash): CipherStash is field-level encryption you can query without decryption, with cryptographically verifiable audit trails and key management up to 14x faster than AWS KMS. - [Audit features](/docs/proxy/audit): Statement fingerprinting, SQL redaction, primary key injection, and record reconciliation in CipherStash Proxy - [Deploying to AWS ECS](/docs/proxy/aws-ecs): Step-by-step guide for deploying CipherStash Proxy to AWS ECS with Fargate - [Configuration](/docs/proxy/configuration): Installing and configuring CipherStash Proxy for Docker, environment variables, and database schema setup - [Getting started with Proxy](/docs/proxy/getting-started): Get up and running with CipherStash Proxy in local dev in under 5 minutes - [CipherStash Proxy](/docs/proxy): Transparent, searchable encryption for your existing PostgreSQL database - [API Reference](/docs/reference): Auto-generated API reference documentation for CipherStash packages - [CLI reference](/docs/secrets/cli): Manage secrets from the terminal with the stash CLI - [Concepts](/docs/secrets/concepts): Workspaces, environments, clients, and API keys for Secrets - [Getting started](/docs/secrets/getting-started): Store and retrieve your first encrypted secret - [Secrets](/docs/secrets): End-to-end encrypted secret storage and management - [SDK reference](/docs/secrets/sdk): Programmatic API for storing, retrieving, and managing encrypted secrets - [Securing AI and RAG pipelines](/docs/use-cases/ai-rag): Protect sensitive data in AI retrieval-augmented generation pipelines with encrypted vector storage and searchable encryption - [Regulatory compliance](/docs/use-cases/compliance): Meet GDPR, HIPAA, and PCI-DSS requirements with encrypted uniqueness constraints, data minimization, and audit trails - [Data residency](/docs/use-cases/data-residency): Cross-border data access with regional ZeroKMS deployment and dual-party key split for sovereignty - [Use cases](/docs/use-cases): Real-world use cases for CipherStash encryption, including data vault comparisons, data sovereignty, and identifying sensitive data - [Provable access control](/docs/use-cases/provable-access): Cryptographic proof-based access control with Lock Contexts for identity-aware encryption and audit logging - [EQL API Reference](/docs/reference/eql): Complete API reference for the Encrypt Query Language (EQL) PostgreSQL extension. - [@cipherstash/stack](/docs/reference/stack/latest): API reference for @cipherstash/stack - [client](/docs/reference/stack/latest/client): API reference for client - [drizzle](/docs/reference/stack/latest/drizzle): API reference for drizzle - [dynamodb](/docs/reference/stack/latest/dynamodb): API reference for dynamodb - [encryption](/docs/reference/stack/latest/encryption): API reference for encryption - [identity](/docs/reference/stack/latest/identity): API reference for identity - [schema](/docs/reference/stack/latest/schema): API reference for schema - [secrets](/docs/reference/stack/latest/secrets): API reference for secrets - [supabase](/docs/reference/stack/latest/supabase): API reference for supabase - [types-public](/docs/reference/stack/latest/types-public): API reference for types-public - [EncryptionConfigError](/docs/reference/stack/latest/drizzle/classes/EncryptionConfigError): Create Drizzle query operators (`eq`, `lt`, `gt`, etc.) that work with encrypted columns. The returned operators encrypt query values before passing them to ... - [EncryptionOperatorError](/docs/reference/stack/latest/drizzle/classes/EncryptionOperatorError): Custom error types for better debugging - [createEncryptionOperators](/docs/reference/stack/latest/drizzle/functions/createEncryptionOperators): Create Drizzle query operators (`eq`, `lt`, `gt`, etc.) that work with encrypted columns. The returned operators encrypt query values before passing them to ... - [encryptedType](/docs/reference/stack/latest/drizzle/functions/encryptedType): API reference for encryptedType - [extractEncryptionSchema](/docs/reference/stack/latest/drizzle/functions/extractEncryptionSchema): Extract a CipherStash encryption schema from a Drizzle table definition. Inspects columns created with encryptedType and builds the equivalent `encryptedTab... - [EncryptedColumnConfig](/docs/reference/stack/latest/drizzle/type-aliases/EncryptedColumnConfig): Configuration for encrypted column indexes and data types - [encryptedDynamoDB](/docs/reference/stack/latest/dynamodb/functions/encryptedDynamoDB): API reference for encryptedDynamoDB - [EncryptedDynamoDBConfig](/docs/reference/stack/latest/dynamodb/interfaces/EncryptedDynamoDBConfig): API reference for EncryptedDynamoDBConfig - [EncryptedDynamoDBError](/docs/reference/stack/latest/dynamodb/interfaces/EncryptedDynamoDBError): API reference for EncryptedDynamoDBError - [EncryptedDynamoDBInstance](/docs/reference/stack/latest/dynamodb/interfaces/EncryptedDynamoDBInstance): API reference for EncryptedDynamoDBInstance - [EncryptionClient](/docs/reference/stack/latest/encryption/classes/EncryptionClient): The EncryptionClient is the main entry point for interacting with the CipherStash Encryption library. It provides methods for encrypting and decrypting indiv... - [noClientError](/docs/reference/stack/latest/encryption/functions/noClientError): API reference for noClientError - [LockContext](/docs/reference/stack/latest/identity/classes/LockContext): Manages CipherStash lock contexts for row-level access control. A `LockContext` ties encryption/decryption operations to an authenticated user identity via ... - [Context](/docs/reference/stack/latest/identity/type-aliases/Context): API reference for Context - [CtsRegions](/docs/reference/stack/latest/identity/type-aliases/CtsRegions): API reference for CtsRegions - [CtsToken](/docs/reference/stack/latest/identity/type-aliases/CtsToken): API reference for CtsToken - [GetLockContextResponse](/docs/reference/stack/latest/identity/type-aliases/GetLockContextResponse): API reference for GetLockContextResponse - [IdentifyOptions](/docs/reference/stack/latest/identity/type-aliases/IdentifyOptions): API reference for IdentifyOptions - [LockContextOptions](/docs/reference/stack/latest/identity/type-aliases/LockContextOptions): API reference for LockContextOptions - [EncryptedColumn](/docs/reference/stack/latest/schema/classes/EncryptedColumn): API reference for EncryptedColumn - [EncryptedField](/docs/reference/stack/latest/schema/classes/EncryptedField): Builder for a nested encrypted field (encrypted but not searchable). Create with encryptedField. Use inside nested objects in encryptedTable; supports `.data... - [EncryptedTable](/docs/reference/stack/latest/schema/classes/EncryptedTable): API reference for EncryptedTable - [buildEncryptConfig](/docs/reference/stack/latest/schema/functions/buildEncryptConfig): API reference for buildEncryptConfig - [encryptedColumn](/docs/reference/stack/latest/schema/functions/encryptedColumn): API reference for encryptedColumn - [encryptedField](/docs/reference/stack/latest/schema/functions/encryptedField): API reference for encryptedField - [encryptedTable](/docs/reference/stack/latest/schema/functions/encryptedTable): API reference for encryptedTable - [CastAs](/docs/reference/stack/latest/schema/type-aliases/CastAs): Type-safe alias for castAsEnum used to specify the *unencrypted* data type of a column or value. This is important because once encrypted, all data is stored... - [ColumnSchema](/docs/reference/stack/latest/schema/type-aliases/ColumnSchema): API reference for ColumnSchema - [EncryptConfig](/docs/reference/stack/latest/schema/type-aliases/EncryptConfig): API reference for EncryptConfig - [EncryptedTableColumn](/docs/reference/stack/latest/schema/type-aliases/EncryptedTableColumn): Shape of table columns: either top-level EncryptedColumn or nested objects whose leaves are EncryptedField. Used with encryptedTable. - [InferEncrypted](/docs/reference/stack/latest/schema/type-aliases/InferEncrypted): Infer the encrypted type from a EncryptedTable schema. - [InferPlaintext](/docs/reference/stack/latest/schema/type-aliases/InferPlaintext): Infer the plaintext (decrypted) type from a EncryptedTable schema. - [MatchIndexOpts](/docs/reference/stack/latest/schema/type-aliases/MatchIndexOpts): API reference for MatchIndexOpts - [OreIndexOpts](/docs/reference/stack/latest/schema/type-aliases/OreIndexOpts): API reference for OreIndexOpts - [SteVecIndexOpts](/docs/reference/stack/latest/schema/type-aliases/SteVecIndexOpts): API reference for SteVecIndexOpts - [TokenFilter](/docs/reference/stack/latest/schema/type-aliases/TokenFilter): API reference for TokenFilter - [UniqueIndexOpts](/docs/reference/stack/latest/schema/type-aliases/UniqueIndexOpts): API reference for UniqueIndexOpts - [Secrets](/docs/reference/stack/latest/secrets/classes/Secrets): The Secrets client provides a high-level API for managing encrypted secrets stored in CipherStash. Secrets are encrypted locally before being sent to the API... - [DecryptedSecretResponse](/docs/reference/stack/latest/secrets/interfaces/DecryptedSecretResponse): API reference for DecryptedSecretResponse - [DeleteSecretRequest](/docs/reference/stack/latest/secrets/interfaces/DeleteSecretRequest): API request body for deleting a secret. POST /api/secrets/delete - [DeleteSecretResponse](/docs/reference/stack/latest/secrets/interfaces/DeleteSecretResponse): API response for deleting a secret. POST /api/secrets/delete - [GetSecretResponse](/docs/reference/stack/latest/secrets/interfaces/GetSecretResponse): API response for getting a single secret. GET /api/secrets/get?workspaceId=...&environment=...&name=... The `encryptedValue` is the raw value stored in the ... - [ListSecretsResponse](/docs/reference/stack/latest/secrets/interfaces/ListSecretsResponse): API response for listing secrets. GET /api/secrets/list?workspaceId=...&environment=... - [PlanLimitError](/docs/reference/stack/latest/secrets/interfaces/PlanLimitError): API error response for plan limit violations (403). Returned by POST /api/secrets/set when the workspace has reached its secret limit. - [SecretMetadata](/docs/reference/stack/latest/secrets/interfaces/SecretMetadata): Secret metadata returned from the API (list endpoint). All fields are always present in API responses. - [SecretsConfig](/docs/reference/stack/latest/secrets/interfaces/SecretsConfig): Configuration options for initializing the Stash client - [SecretsError](/docs/reference/stack/latest/secrets/interfaces/SecretsError): Error returned by secrets operations. - [SetSecretRequest](/docs/reference/stack/latest/secrets/interfaces/SetSecretRequest): API request body for setting a secret. POST /api/secrets/set - [SetSecretResponse](/docs/reference/stack/latest/secrets/interfaces/SetSecretResponse): API response for setting a secret. POST /api/secrets/set - [GetManySecretsResponse](/docs/reference/stack/latest/secrets/type-aliases/GetManySecretsResponse): API response for getting multiple secrets. GET /api/secrets/get-many?workspaceId=...&environment=...&names=name1,name2,... Returns an array of GetSecretResp... - [SecretName](/docs/reference/stack/latest/secrets/type-aliases/SecretName): API reference for SecretName - [SecretValue](/docs/reference/stack/latest/secrets/type-aliases/SecretValue): API reference for SecretValue - [SecretsErrorType](/docs/reference/stack/latest/secrets/type-aliases/SecretsErrorType): Discriminated error type for secrets operations. - [encryptedSupabase](/docs/reference/stack/latest/supabase/functions/encryptedSupabase): API reference for encryptedSupabase - [EncryptedQueryBuilder](/docs/reference/stack/latest/supabase/interfaces/EncryptedQueryBuilder): API reference for EncryptedQueryBuilder - [EncryptedSupabaseInstance](/docs/reference/stack/latest/supabase/interfaces/EncryptedSupabaseInstance): API reference for EncryptedSupabaseInstance - [SupabaseClientLike](/docs/reference/stack/latest/supabase/interfaces/SupabaseClientLike): API reference for SupabaseClientLike - [EncryptedSupabaseConfig](/docs/reference/stack/latest/supabase/type-aliases/EncryptedSupabaseConfig): API reference for EncryptedSupabaseConfig - [EncryptedSupabaseError](/docs/reference/stack/latest/supabase/type-aliases/EncryptedSupabaseError): API reference for EncryptedSupabaseError - [EncryptedSupabaseResponse](/docs/reference/stack/latest/supabase/type-aliases/EncryptedSupabaseResponse): API reference for EncryptedSupabaseResponse - [PendingOrCondition](/docs/reference/stack/latest/supabase/type-aliases/PendingOrCondition): API reference for PendingOrCondition - [queryTypes](/docs/reference/stack/latest/types-public/variables/queryTypes): API reference for queryTypes - [BulkDecryptPayload](/docs/reference/stack/latest/types-public/type-aliases/BulkDecryptPayload): API reference for BulkDecryptPayload - [BulkDecryptedData](/docs/reference/stack/latest/types-public/type-aliases/BulkDecryptedData): API reference for BulkDecryptedData - [BulkEncryptPayload](/docs/reference/stack/latest/types-public/type-aliases/BulkEncryptPayload): API reference for BulkEncryptPayload - [BulkEncryptedData](/docs/reference/stack/latest/types-public/type-aliases/BulkEncryptedData): API reference for BulkEncryptedData - [Client](/docs/reference/stack/latest/types-public/type-aliases/Client): Public type re-exports for `@cipherstash/stack/types`. This module exposes only the public types from the internal types module. Internal helpers (`queryTyp... - [ClientConfig](/docs/reference/stack/latest/types-public/type-aliases/ClientConfig): API reference for ClientConfig - [Decrypted](/docs/reference/stack/latest/types-public/type-aliases/Decrypted): Model with encrypted fields replaced by plaintext (decrypted) values - [DecryptedFields](/docs/reference/stack/latest/types-public/type-aliases/DecryptedFields): API reference for DecryptedFields - [DecryptionResult](/docs/reference/stack/latest/types-public/type-aliases/DecryptionResult): Result type for individual items in bulk decrypt operations. Uses `error`/`data` fields (not `failure`/`data`) since bulk operations can have per-item failures. - [EncryptOptions](/docs/reference/stack/latest/types-public/type-aliases/EncryptOptions): Options for single-value encrypt operations. Use a column from your table schema (from encryptedColumn) or a nested field (from encryptedField) as the target... - [EncryptQueryOptions](/docs/reference/stack/latest/types-public/type-aliases/EncryptQueryOptions): API reference for EncryptQueryOptions - [Encrypted](/docs/reference/stack/latest/types-public/type-aliases/Encrypted): Structural type representing encrypted data. See also `EncryptedValue` for branded nominal typing. - [EncryptedFields](/docs/reference/stack/latest/types-public/type-aliases/EncryptedFields): API reference for EncryptedFields - [EncryptedQueryResult](/docs/reference/stack/latest/types-public/type-aliases/EncryptedQueryResult): Result of encryptQuery (single or batch): EQL or composite literal string - [EncryptedReturnType](/docs/reference/stack/latest/types-public/type-aliases/EncryptedReturnType): Format for encrypted query/search term return values - [EncryptedSearchTerm](/docs/reference/stack/latest/types-public/type-aliases/EncryptedSearchTerm): Encrypted search term result: EQL object or composite literal string - [EncryptedValue](/docs/reference/stack/latest/types-public/type-aliases/EncryptedValue): A branded type representing encrypted data. Cannot be accidentally used as plaintext. - [EncryptionClientConfig](/docs/reference/stack/latest/types-public/type-aliases/EncryptionClientConfig): API reference for EncryptionClientConfig - [KeysetIdentifier](/docs/reference/stack/latest/types-public/type-aliases/KeysetIdentifier): API reference for KeysetIdentifier - [LoggingConfig](/docs/reference/stack/latest/types-public/type-aliases/LoggingConfig): API reference for LoggingConfig - [OtherFields](/docs/reference/stack/latest/types-public/type-aliases/OtherFields): API reference for OtherFields - [QueryTypeName](/docs/reference/stack/latest/types-public/type-aliases/QueryTypeName): User-facing query type names for encrypting query values. - `'equality'`: Exact match. [Exact Queries](https://cipherstash.com/docs/platform/searchable-encr... - [ScalarQueryTerm](/docs/reference/stack/latest/types-public/type-aliases/ScalarQueryTerm): API reference for ScalarQueryTerm - [SearchTerm](/docs/reference/stack/latest/types-public/type-aliases/SearchTerm): API reference for SearchTerm