Background
Handler OAuth credentials (Twitter, Facebook, Reddit, Instagram, etc.) are currently stored in a single datamachine_auth_data site option — a serialized blob containing all providers' tokens, configs, and account data in one array. This is separate from (and unrelated to) the agent token auth system (c8c_datamachine_agent_tokens table), which is the inbound auth system for external callers.
Current State
datamachine_auth_data (site option):
{
"twitter": { "config": {...}, "account": {...} },
"reddit": { "config": {...}, "account": {...} },
"facebook": { "config": {...}, "account": {...} },
// ... 8+ providers in one blob
}
Problems
- Query performance — loading all providers to access one
- Atomicity — saving Twitter credentials touches the same option as Instagram
- Security — cannot encrypt per-provider or rotate per-provider
- No indexing — full deserialization to check if a single provider is connected
Proposed Change
Move handler OAuth credentials to a custom table (e.g. {prefix}datamachine_auth_credentials) with columns like provider, config (JSON), account (JSON), connected_at, updated_at. Each provider gets its own row.
This is a storage optimization only — not a unification with agent tokens. The two systems serve fundamentally different purposes:
- Handler OAuth = outbound (DM authenticates TO external services)
- Agent Tokens = inbound (external callers authenticate TO DM's API)
They should remain architecturally separate.
Scope
- New table + migration from
datamachine_auth_data option
- Update
BaseAuthProvider storage methods (get_account, save_account, get_config, save_config, clear_account)
- Update all concrete providers (Twitter, Facebook, Reddit, Instagram, Threads, LinkedIn, Pinterest, Bluesky, Email)
- Migration script for existing data
- No changes to agent token system
Priority
Low — functional but not ideal. Revisit when we have a reason to touch the handler auth layer.
Background
Handler OAuth credentials (Twitter, Facebook, Reddit, Instagram, etc.) are currently stored in a single
datamachine_auth_datasite option — a serialized blob containing all providers' tokens, configs, and account data in one array. This is separate from (and unrelated to) the agent token auth system (c8c_datamachine_agent_tokenstable), which is the inbound auth system for external callers.Current State
Problems
Proposed Change
Move handler OAuth credentials to a custom table (e.g.
{prefix}datamachine_auth_credentials) with columns likeprovider,config(JSON),account(JSON),connected_at,updated_at. Each provider gets its own row.This is a storage optimization only — not a unification with agent tokens. The two systems serve fundamentally different purposes:
They should remain architecturally separate.
Scope
datamachine_auth_dataoptionBaseAuthProviderstorage methods (get_account,save_account,get_config,save_config,clear_account)Priority
Low — functional but not ideal. Revisit when we have a reason to touch the handler auth layer.