SikurdHelp
Open Sikurd

Connections & credentials FAQ

OAuth vs password, credential storage, encryption.

OAuth or username/password — which should I use?

Either works on 3CX v20.0+. We recommend username + password for most cases:

  • Works on every 3CX edition.
  • No need to create an API client on the PBX side.
  • Same credential rotates with the user.

Use OAuth client credentials if:

  • You want a dedicated, scoped service account just for Sikurd polling.
  • Your security policy requires non-human service authentication.
  • You already have an API client provisioned.

How are credentials stored?

3CX admin passwords are encrypted in our database with AES-256-GCM. The encryption key (CREDENTIAL_ENCRYPTION_KEY) lives in our production environment, not the database. A DB compromise alone doesn't yield plaintext credentials.

OAuth access/refresh tokens are also stored encrypted (in progress — see the trust center for the latest posture).

Can your team see the passwords?

No. The encryption key only lives in production runtime. We can't read your stored passwords from logs or admin tools. If we lose the key, the ciphertext is unrecoverable — we'd have to ask you to re-paste credentials.

Why does Sikurd need admin credentials at all?

To call 3CX's management API. Most reads (SystemStatus, Users, Queues, Backups) require an authenticated session. Sikurd uses your credentials the same way the 3CX web admin console does — it's a separate session, not a shared one.

Can I use a read-only account?

3CX doesn't currently have a read-only API role. The recommended path is to create a dedicated Sikurd user with the System owner role that only Sikurd uses. Audit logs (in 3CX) will then show "Sikurd" performed each read, separating Sikurd activity from human activity.

What if I rotate the 3CX password?

The instance will start failing to poll within ~60 seconds. The instance's status flips to Degraded then Offline. Click Reauth on the instance card and paste the new credentials.

OAuth scopes

We request the minimum scopes 3CX exposes for management OAuth — typically the management.access scope. We don't ask for call-recording download or anything else outside polling.

My instance is behind a VPN / firewall

Sikurd polls outbound from our cloud workers. If your 3CX is behind a private network, the worker can't reach it. Two options:

  1. Open access from our worker IPs — we publish them; add a firewall rule.
  2. Deploy a private connector — coming on Enterprise. Lets the connector poll locally and report back over an outbound tunnel.