Vault

Authentication

API keys for programmatic access and sign-in for the dashboard.

Vault has two authentication planes:

  • API keys — for your backend and scripts (the /v1 API).
  • Sign-in — for humans using the dashboard console (Google, GitHub, or email).

API keys

Every request to the /v1 API is authenticated with a bearer token:

Authorization: Bearer sk_live_…

Keys are scoped to your workspace (tenant). Issue and revoke them from the dashboard or the API:

const { key } = await storage.keys.create({ name: "ci" }); // shown once
await storage.keys.list();
await storage.keys.revoke(id);

Keys are stored only as a hash — Vault can never show you a key again after creation. Rotate by issuing a new key and revoking the old one.

Dashboard sign-in

The dashboard supports:

  • Continue with Google
  • Continue with GitHub
  • Email + password

On your first sign-in a workspace is created automatically. From the console you can manage buckets, API keys, and usage. Sessions are cookie-based and scoped to your account.

Signed URLs

To let untrusted clients (browsers, mobile apps) upload or download without an API key, issue a short-lived signed URL. The signature is scoped to a single method and object and expires automatically.

On this page