Products Use cases Docs Scanner CI/CD Security Status Blog Pricing Login Get started

User guide

Protect provider keys, runtime secrets, and app traffic from one consumer workflow.

VaultProof's consumer product combines a hosted installer, the vaultproof-init CLI, provider-compatible proxy routes, vault-only secret injection, a repository scanner, and a dashboard for traffic, alerts, plans, and key operations.

Setup path
  1. 1Create or sign in to your VaultProof account.
  2. 2Run the hosted installer in your app, automation, or secret-heavy repo.
  3. 3Choose proxy keys, custom APIs, vault-only secrets, or NetOps protection.
  4. 4Restart, test one workflow, then monitor activity, alerts, and plan usage.

Quick start

Install once, run init, restart your app.

For common providers, you should not need to edit application code. The init tool reads your environment files, protects detected keys, and writes the VaultProof values your SDKs need.

In your app folder
curl -fsSL https://vaultproof.dev/install | sh
vaultproof-init
What changes? Your raw provider keys are replaced with a VaultProof token, and supported providers get generated base URL values such as OPENAI_BASE_URL. The CLI handles the setup and tells you what changed.

Works from your project root

Run the command where your app keeps env files like .env, .env.local, .env.production, or .env.development.

No raw key in the app

Your app uses the VaultProof token in place of the original key. The real provider credential is reconstructed only inside VaultProof when a call is routed.

One test before deploy

Restart your local app and trigger one provider request. Check Activity Logs for the call before pushing the same env values to production.

What's built

The current consumer surface on vaultproof.dev.

Use this map to understand which customer-facing pieces are already present in the site and app, and which workflow each one supports.

Surface URLs or entry points What it does
Marketing and pricing /, /compare, /v2 Explains active key protection, provider-compatible proxying, plan limits, and how VaultProof compares with traditional secret stores.
Hosted installer and downloads /install, /downloads/vaultproof-init.mjs, /downloads/providers.json Installs the CLI, ships the hosted init bundle, and provides the provider catalog fallback used during setup.
Consumer app /app/login, /app/, /app/keys, /app/activity, /app/alerts, /app/settings, /app/plans Handles login, project monitoring, protected keys, request activity, alert review, account settings, and billing or plan workflows.
Repository scanner /scan, /app/scanner Finds exposed keys and migration opportunities from public checks or the authenticated GitHub scanner flow.
Proof, status, and trust pages /verify, /security, /status, /privacy, /terms, /abuse Shows the verification story, security model, public service health, legal policies, privacy posture, and abuse reporting path.
Init worker and proxy init.vaultproof.dev/health, /api/v1/init/projects, /p/:provider/*, /v1/* Backs project setup, key storage, dashboard data, provider proxy routes, Stripe-native path support, audit, alerts, members, and org APIs.

CLI modes

Pick the workflow that matches the secret.

The hosted CLI now handles regular provider keys, unsupported HTTPS APIs, vault-only runtime secrets, NetOps automation files, dry-run audits, legacy migration, and connectivity checks.

Common commands
vaultproof-init
vaultproof-init --dry-run
vaultproof-init custom
vaultproof-init secrets add
vaultproof-init secrets pull
vaultproof-init run -- npm run dev
vaultproof-init netops
vaultproof-init netops run -- ansible-playbook site.yml
vaultproof-init --check-legacy
vaultproof-init doctor

Provider proxy keys

Use vaultproof-init for HTTP API keys in supported SDKs. The CLI scans env files, protects detected keys, writes VAULTPROOF_PROJECT_ID, and adds provider base URLs.

Dry-run audits

Use vaultproof-init --dry-run before changing a repo. It reports scanned files, detected keys, and existing VaultProof markers without uploading or rewriting values.

Custom/internal APIs

Use vaultproof-init custom when the key belongs to a private or unsupported public HTTPS API. The CLI asks for the upstream URL and auth header format.

Vault-only secrets

Use vaultproof-init secrets add for values like DATABASE_URL, JWT_SECRET, OAuth client secrets, and webhook signing secrets that cannot be proxied as HTTP provider keys.

Secret injection

Use vaultproof-init run -- <command> to inject vault-only secrets into a child process, or vaultproof-init secrets pull to write a local plaintext file with mode 0600.

NetOps automation

Use vaultproof-init netops for Ansible inventories, group_vars, host_vars, Terraform tfvars, and automation credentials that should be injected at runtime.

Use vaultproof-init doctor when setup feels off. The doctor command checks login, worker reachability, proxy connectivity, provider catalog loading, and existing VaultProof markers before you debug app code.

Onboarding

Get your first app into VaultProof.

Use this checklist when setting up a project for the first time.

  1. 1

    Create or sign in

    Open the VaultProof app, sign in, and keep the dashboard open while you run setup. The CLI may open the browser so it can connect the app to your account.

  2. 2

    Run the hosted installer

    The installer downloads the CLI from vaultproof.dev/downloads, verifies the hosted manifest, and installs a bundled provider catalog for offline fallback.

  3. 3

    Choose the setup mode

    Run vaultproof-init for provider proxy keys, vaultproof-init custom for unsupported HTTPS APIs, vaultproof-init secrets add for vault-only runtime secrets, or vaultproof-init netops for automation repos.

  4. 4

    Restart and test

    Restart your local server so the new env values load. For vault-only secrets, start through vaultproof-init run -- <command>. Trigger one real workflow, then open Activity Logs to confirm the result.

Connect your site

Move from local setup to production.

After local setup works, copy the generated VaultProof proxy values into your hosting provider. This is the part most teams need for Vercel, Netlify, Cloudflare Pages, Render, Railway, Fly.io, or a custom server.

Local env file

Your env file should now include a generated VaultProof block. Proxy keys receive VaultProof project and base URL values; vault-only secrets become vaultproof:// placeholders.

# Generated by vaultproof-init
VAULTPROOF_PROJECT_ID=vp-proj-...
OPENAI_API_KEY=vp-proj-...
OPENAI_BASE_URL=https://init.vaultproof.dev/p/openai/v1
DATABASE_URL=vaultproof://DATABASE_URL

Production env values

In your hosting dashboard, replace raw provider API keys with the generated VaultProof token and add any generated *_BASE_URL values. Then redeploy.

  • Use the same env variable names your app already reads.
  • Remove the old raw provider key from production secrets.
  • Redeploy or restart so the new values load.
  • Check Activity Logs after the first production call.
Proxy keys and vault-only secrets deploy differently. Supported provider keys use generated env values and proxy base URLs. Vault-only placeholders need a launch path that can inject secrets with vaultproof-init run -- <command>; if a host cannot run that wrapper, keep that class of secret in your existing host secret manager.

Dashboard

What each page is for.

The app is organized around monitoring, managing protected keys, and reviewing security events.

Dashboard

See proxy calls, success rate, latency, and active routes. Use this page first after onboarding to confirm traffic is flowing through VaultProof.

API Keys / Protected Keys

Review VaultProof tokens and the provider keys attached to them. Use this page to add keys manually, rotate a protected key, or delete a token you no longer use.

Activity Logs

Filter requests by project, provider, status, endpoint, and time. This is the fastest way to answer, "Did my app call the provider through VaultProof?"

Security Alerts

Review suspicious usage, provider failures, limits, and incidents that may need action. Alerts should be handled before they become production issues.

Repository Scanner

Connect GitHub to find accidentally committed keys and migration opportunities. Scanner findings help you rotate, replace, or ignore detected secrets.

Settings and Plans

Manage account access, guardrails, billing, and usage limits. If you hit a plan limit, upgrade before production traffic starts failing.

Public tools

Use the supporting pages when you need proof, health, or examples.

The vaultproof.dev site includes more than setup docs. These pages help users validate security claims, check service status, preview the app, and find the right implementation guide.

Setup guides

Use /guides for the basic setup walkthrough and /cicd-kubernetes for CI/CD, Kubernetes, and existing secrets-stack positioning.

Scanner

Use /scan for the public scanner entry point and /app/scanner when an authenticated GitHub scan, scan history, or finding workflow is needed.

Verify and security

Use /verify and /security to explain what VaultProof can and cannot see, how split shares work, and what metadata is logged.

Status and demo

Use /status to check public site, init/proxy edge, API control plane, and dashboard health. Use /demo to preview the product without a live setup.

Providers

Provider catalog: 250 signatures.

The live provider catalog is version 9 and was last updated on 2026-05-21. vaultproof-init downloads /providers.json on each run and uses it to detect keys, choose env names, and configure provider routes.

250provider signatures
v9catalog version
2026-05-21last catalog update
View full catalog

AI and model APIs

OpenAI, Azure OpenAI, Anthropic, Groq, xAI, OpenRouter, DeepSeek, Mistral, Together AI, Fireworks AI, Cohere, Replicate, Hugging Face, Perplexity, Cerebras, ElevenLabs, Pinecone, Stability AI.

Payments and commerce

Stripe, Paystack, Lemon Squeezy, Mollie, GoCardless, Mercado Pago, Wise, Square, and related API-key based services.

Email and messaging

Resend, SendGrid, Brevo, Mailgun, Postmark, SparkPost, MailerSend, Mailjet, Mailtrap, Loops, Courier, Customer.io.

DevOps and infrastructure

GitHub, GitLab, CircleCI, Buildkite, Semgrep, SonarQube Cloud, Snyk, Codecov, LaunchDarkly, HCP Terraform, Pulumi, npm Registry, Doppler, DigitalOcean, Netlify, Render, Railway, Fly.io, Supabase, PlanetScale, Neon.

Observability

Sentry, New Relic, Datadog, Honeycomb, Better Stack, LogSnag, Raygun, Rollbar, BugSnag, Axiom.

Product and workflow

Linear, Notion, Figma, Asana, ClickUp, monday.com, Todoist, Coda, Shortcut, Webflow, and more.

If your provider is not detected: Run vaultproof-init custom and follow the prompts. The CLI can protect custom or internal API keys when you provide the public HTTPS upstream and auth header format.

Daily operations

How to work with VaultProof after setup.

Task Where to go What to do
Preview changes vaultproof-init --dry-run Scan env files, provider matches, and existing VaultProof markers before uploading or rewriting anything.
Confirm traffic Dashboard or Activity Logs Look for the provider, endpoint, status, and latency after your app makes a request.
Add another provider Run vaultproof-init again Add the provider key to your env file, rerun init, restart, and test.
Rotate a key Protected Keys Paste the rotated provider key into the existing token so your app can keep the same VaultProof value.
Deploy to production Your hosting provider Copy generated VaultProof env values to production secrets and redeploy.
Run vault-only secrets vaultproof-init run -- <command> Inject non-proxy secrets into the child process instead of leaving plaintext values in the env file.
Run automation vaultproof-init netops run -- <command> Inject Ansible or Terraform secrets after NetOps files have been rewritten to runtime environment lookups.
Check service health /status or vaultproof-init doctor Confirm whether an issue is local to your app, auth session, provider route, or VaultProof's public services.
Investigate errors Security Alerts and Activity Logs Check status codes, provider failures, limits, and whether the request reached VaultProof.

Troubleshooting

Common user fixes.

These are safe checks for the app owner. If you are supporting customers from the admin console, use the separate admin support guide.

The app still calls the provider directly

Restart your app and confirm the generated *_BASE_URL values are loaded in the same environment your process uses.

The provider call returns unauthorized

Check that the protected key exists on the Protected Keys page. If you rotated the upstream provider key, update it in VaultProof too.

Init did not find a key

Confirm the key is in one of the scanned env files and uses a provider shape in the catalog. For internal services, run vaultproof-init custom.

Production works locally but not after deploy

Compare local env values with hosting secrets. Production usually fails when an old raw key, missing base URL, or stale deployment is still active.

A vault-only placeholder reaches the app

Start the process with vaultproof-init run -- <command>. A value like vaultproof://DATABASE_URL is a placeholder, not the plaintext secret your database client can use.

CLI login or proxy checks fail

Run vaultproof-init doctor and check /status. If login is stale, sign in again at /app/login and rerun the command from the project folder.

Need more help? Send support the provider name, env variable names, hosting provider, approximate timestamp, request ID from Activity Logs, and redacted vaultproof-init doctor or --dry-run output. Do not send raw provider keys.

FAQ

Short answers.

Is the VaultProof token a raw provider key?

No. The VaultProof token routes traffic to the protected key stored in VaultProof. It does not reveal the original provider credential.

Do I need a VaultProof SDK?

No for the normal setup path. The init tool configures supported providers so existing SDKs can keep working through generated environment values.

Can I commit the generated env block?

VAULTPROOF_PROJECT_ID and generated provider proxy values are designed to be less sensitive than the raw provider key, but follow your team's policy for env files. Never commit original raw provider keys or plaintext vault-only secrets.

What if I use an internal API?

Run vaultproof-init custom. The CLI will ask for the upstream HTTPS URL and the header format used by that service.

When should I use vault-only secrets?

Use vaultproof-init secrets add for secrets that are not provider HTTP API keys, such as database URLs, JWT/session secrets, OAuth client secrets, and webhook signing secrets. Run the app through vaultproof-init run -- <command> when it needs those plaintext values.

What does NetOps mode protect?

vaultproof-init netops scans common Ansible and Terraform secret locations, rewrites values to runtime environment lookups, and lets you inject them with vaultproof-init netops run -- <command>.