Vendor Access Vault
Sign inGet started
AES-256-GCM·Append-only audit·Just-in-time access

Vendor access without the chaos.

Stop sharing API keys in Slack. Stop wondering who can see what. Vault credentials, gate them behind just-in-time approvals, and get a full audit trail of every reveal.

Get startedSign in
Vendors
5 active · 1 due for review
AES-256-GCM encryption
Per-credential access control
Every reveal logged
Auto-expiring access
The problem

Right now, vendor access lives everywhere except where it should.

Credentials in Slack DMs

API keys pasted into a thread two months ago. The vendor is gone. The key still works. You don't know who reads it.

Forgotten access

Three contractors offboarded last quarter. Their access to the staging database was never revoked. You'd have to grep eight tools to find out.

No audit visibility

Auditor asks who accessed the customer-data export bucket in March. Best you can do is guess. There's no log to point at.

What you get

Six things vendor access management should have always had.

Vendor directory

Every SaaS, contractor, and integration in one place. Owner, criticality, compliance, and data access all tracked.

Encrypted credentials

AES-256-GCM per credential. Plaintext never appears in API responses or list queries. Decrypted only on explicit reveal.

Just-in-time access

Viewers request access with justification + duration. Admins approve, deny, or shorten the window. Auto-expires.

Rotation tracking

Set rotation periods per credential. Cron emails owners when rotations are due. Active access auto-revokes on rotation.

Append-only audit log

Every action, every reveal, every approval logged with actor, IP, user agent. Filter, search, export to CSV for compliance.

Role-based access

Owner, admin, viewer. Viewers see what they have access to. Admins control everything. Owner protects last-owner integrity.

How it works

Three steps. No standing access.

01Store

Encrypt credentials with a fresh IV per secret

Add vendors, then store the credentials they gave you: API keys, database URLs, SSH keys, webhooks. Each value is encrypted with AES-256-GCM and a unique IV. The plaintext never leaves the server until someone is explicitly authorized to see it.

Stripe credentials
Production API Key
api_key · production
••••••••
Webhook Secret
webhook · production
••••••••
Test Key
api_key · staging
••••••••
02Request

Just-in-time access, with justification and expiry

Viewers can't see secrets until they request access. Admins approve, deny, or shorten the window. Every grant has a hard expiry, measured in hours, not forever. The cron auto-expires anything past its window.

Pending review1
Sarah → Stripe Production Keyjust now

Reproducing customer issue #1842, needs prod dashboard for ~30 min.

Daniel → OpenAI API Key · approved 2h ago
03Audit

Every reveal is recorded forever

When a grant is used, a credential.viewed entry lands in the audit log with the actor, IP, user agent, and timestamp. Filter by action, resource, or person. Export to CSV when an auditor asks. The log is append-only.

Audit loglast 24h · 47 events
Sarah Chen revealed Stripe Production Key
13:42
Daniel approved Sarah's request
13:38
Sarah Chen requested Stripe Production Key
13:35
Daniel rotated Neon DB Password
11:02
Built like a security tool

Because it is one.

AES-256-GCM, fresh IV per credential

Authenticated encryption with a unique 12-byte IV per secret. Tampering invalidates the auth tag, so decryption fails closed.

Plaintext stays on the server

List queries explicitly exclude the encrypted columns. The decrypted value is only returned by an explicit reveal action, and only to a user with active access.

Every reveal is logged

Each credential.viewed entry records the actor, IP, user agent, and credential. Failed reveal attempts log credential.reveal_denied, useful for spotting insider snooping.

Auto-revoke on rotation

When a credential is rotated, all active approved access is revoked atomically in the same transaction and the affected requesters are notified by email.

Bot protection on the front door

Cloudflare Turnstile guards signup, password reset, and verification email resends. Real humans pass invisibly; bots get challenged.

Append-only audit log

No update or delete API on audit_logs. The schema preserves history forever. Export to CSV with full filter parity for compliance evidence.

How it compares

The honest table.

We're not pretending to replace HashiCorp Vault for an enterprise. We're built for the team that's currently using a Slack channel.

Capability
Slack DMs
Status quo
Shared 1Password
Common upgrade
HashiCorp Vault
Enterprise tier
Vendor Access Vault
You are here
Encrypted at rest with audited algorithms
Per-credential approval workflow
Time-bound access with auto-expiry
Append-only audit log with CSV export
Per-vendor risk metadata
Built for SMBs (no enterprise sales call)
Frequently asked

Things people want to know.

Stop hoping nothing has slipped through.

Bring your vendor credentials into one place, gate them behind approvals, and finally have an audit trail you can show.

Get startedI already have an account

Free · No credit card required