Authentication
API keys for programmatic access and sign-in for the dashboard.
Vault has two authentication planes:
- API keys — for your backend and scripts (the
/v1API). - Sign-in — for humans using the dashboard console (Google, GitHub, or email).
API keys
Every request to the /v1 API is authenticated with a bearer token:
Authorization: Bearer sk_live_…Keys are scoped to your workspace (tenant). Issue and revoke them from the dashboard or the API:
const { key } = await storage.keys.create({ name: "ci" }); // shown once
await storage.keys.list();
await storage.keys.revoke(id);Keys are stored only as a hash — Vault can never show you a key again after creation. Rotate by issuing a new key and revoking the old one.
Dashboard sign-in
The dashboard supports:
- Continue with Google
- Continue with GitHub
- Email + password
On your first sign-in a workspace is created automatically. From the console you can manage buckets, API keys, and usage. Sessions are cookie-based and scoped to your account.
Signed URLs
To let untrusted clients (browsers, mobile apps) upload or download without an API key, issue a short-lived signed URL. The signature is scoped to a single method and object and expires automatically.