Can you go into more detail about this? I may be misunderstanding, but I read 'never persisted' as meaning my users must provide credentials for every API call.
Ah, I meant plaintext passwords are never persisted in a db anywhere. The only time passwords are decrypted are when they are used to programmatically log in, so they're never stored anywhere except in memory.
Out of interest what’s the architecture you have gone with for key rotation and storage, and where the encrypted passwords are stored. (Understand that as an very early stage startup you probably haven’t optimised all this yet)
I know some other services that have had to go this route have used quite elaborate systems to ensure separation between keys, passwords and user details in the event of a hack.