Trust model
VaultProof reduces where complete provider keys can live.
The main security goal is simple: a leaked app repository, browser build, CI log, prompt transcript, or hosted environment should not expose the original provider credential.
App receives a VaultProof token
Your application uses VaultProof-managed values instead of storing the raw OpenAI, Anthropic, Stripe, or other provider key directly.
Provider route stays compatible
For supported providers, the init tool writes base URL values so normal SDK calls can route through VaultProof without a custom integration.
Operations stay observable
Activity, alerts, usage, and error views help teams see whether protected keys are being used as expected.
Secure setup
The hosted init handles the setup details.
Users should not need to manually wire provider SDK code for common providers. The installer fetches the hosted init bundle and provider catalog, verifies the manifest, then the init command handles detection and environment updates.
-
1
Install the hosted init
Run the installer from your app folder. The installer downloads the CLI bundle and a provider catalog fallback from
/downloadsand checks the manifest before installing. -
2
Run
vaultproof-initThe init scans common env files, detects supported provider keys, protects them, and writes VaultProof values back into the app environment.
-
3
Deploy the generated values
Copy the generated VaultProof token and base URL values to your hosting provider, then restart and test one provider call before wider rollout.
/providers.json is version 9 with 250 provider signatures, updated on 2026-05-21. The init downloads this catalog on each run and falls back to the installed copy if needed.
Key lifecycle
Know where key material exists during normal use.
VaultProof is designed around reducing persistent plaintext exposure. It still needs to authenticate to the provider when your application sends a real provider request.
| Stage | What happens | Security intent |
|---|---|---|
| Before setup | The raw provider key may exist in local env files, hosting settings, previous commits, or copied snippets. | Find the key and move it behind VaultProof. |
| After init | The app keeps VaultProof-managed values instead of the original provider credential. | Reduce exposure in source code, AI tools, hosting config, and logs. |
| During a request | VaultProof routes the request and authenticates to the upstream provider on behalf of your app. | Use provider credentials only for the request path that needs them. |
| After a request | VaultProof records request metadata such as provider, route, status, timestamp, and latency. | Support incident review without storing raw provider keys or request bodies. |
Controls
Security controls should be usable by operators.
The dashboard is designed to help teams understand key usage and take action when something looks wrong.
Activity review
Monitor request stream, busy endpoints, errors, latency, provider status, and usage trends from the dashboard.
Alerts and budgets
Use alerts and plan limits to catch unusual volume, failed calls, or traffic that needs investigation before it becomes spend or abuse.
Origin and environment discipline
Keep VaultProof values scoped to the app environments that need them and remove raw provider keys from old hosting settings.
Scanner follow-up
Use scanner findings to identify exposed keys, then rotate affected provider credentials and move the app through VaultProof.
Logging
Logs should help incident review without becoming another secret store.
VaultProof records operational metadata that helps you understand usage and failures. It should not become a place where raw provider secrets or request payloads are copied.
Recorded
- Provider and route metadata.
- Status code, timestamp, and latency.
- Usage counters and alert state.
- Scanner and dashboard actions.
Not for logs
- Raw provider API keys.
- Request and response bodies.
- Provider secrets copied into tickets.
- Unredacted customer credentials.
Limits
Clear limitations make the system safer to use.
No security product removes the need for good provider hygiene. VaultProof is strongest when paired with rotation, provider-side restrictions, team access controls, and deployment discipline.
Protects against
- Raw keys committed to source code.
- Keys copied into AI coding context.
- Plaintext keys sitting in hosted env settings.
- Limited incident visibility after a leak.
Does not replace
- Rotating provider keys after exposure.
- Securing developer laptops and CI systems.
- Provider-side allowlists and spend controls.
- Reviewing app code that sends sensitive payloads.
Infrastructure
Built on managed infrastructure with defense in depth.
VaultProof uses established infrastructure layers for edge routing, authentication, storage, and billing, with TLS in transit and encryption at rest from the underlying platforms.
| Layer | Purpose | Security responsibility |
|---|---|---|
| Website and installer | Hosts docs, installer, init bundle, manifest, and provider catalog. | Serve from HTTPS, use cache-aware deployment, and verify install artifacts through the manifest. |
| Runtime proxy | Routes app requests to supported providers. | Authenticate requests, apply controls, avoid logging secrets, and expose usage metadata. |
| Database and auth | Stores account, project, configuration, and activity data. | Restrict access, encrypt at rest, and separate tenant data by account/workspace boundaries. |
| Billing provider | Handles subscriptions and payment flow. | Keep card data out of VaultProof systems. |
Responsible disclosure
Report security issues directly.
If you find a vulnerability, disclosure mistake, exposed secret, install integrity issue, or dashboard access bug, contact us before public disclosure so we can protect customers quickly.
Send
- Steps to reproduce.
- Affected URL, route, or component.
- Potential impact and suggested severity.
- Redacted screenshots or logs when useful.
Do not send
- Raw provider API keys.
- Customer personal data.
- Unredacted access tokens.
- Payloads from unrelated third-party systems.