Skip to content

Move handler OAuth credentials from wp_options blob to custom table #1017

@chubes4

Description

@chubes4

Background

Handler OAuth credentials (Twitter, Facebook, Reddit, Instagram, etc.) are currently stored in a single datamachine_auth_data site option — a serialized blob containing all providers' tokens, configs, and account data in one array. This is separate from (and unrelated to) the agent token auth system (c8c_datamachine_agent_tokens table), which is the inbound auth system for external callers.

Current State

datamachine_auth_data (site option):
{
  "twitter": { "config": {...}, "account": {...} },
  "reddit": { "config": {...}, "account": {...} },
  "facebook": { "config": {...}, "account": {...} },
  // ... 8+ providers in one blob
}

Problems

  1. Query performance — loading all providers to access one
  2. Atomicity — saving Twitter credentials touches the same option as Instagram
  3. Security — cannot encrypt per-provider or rotate per-provider
  4. No indexing — full deserialization to check if a single provider is connected

Proposed Change

Move handler OAuth credentials to a custom table (e.g. {prefix}datamachine_auth_credentials) with columns like provider, config (JSON), account (JSON), connected_at, updated_at. Each provider gets its own row.

This is a storage optimization only — not a unification with agent tokens. The two systems serve fundamentally different purposes:

  • Handler OAuth = outbound (DM authenticates TO external services)
  • Agent Tokens = inbound (external callers authenticate TO DM's API)

They should remain architecturally separate.

Scope

  • New table + migration from datamachine_auth_data option
  • Update BaseAuthProvider storage methods (get_account, save_account, get_config, save_config, clear_account)
  • Update all concrete providers (Twitter, Facebook, Reddit, Instagram, Threads, LinkedIn, Pinterest, Bluesky, Email)
  • Migration script for existing data
  • No changes to agent token system

Priority

Low — functional but not ideal. Revisit when we have a reason to touch the handler auth layer.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions