Platform
ScaiWave ScaiGrid ScaiCore ScaiBot ScaiDrive ScaiKey Models Tools & Services
Solutions
Organisations Developers Internet Service Providers Managed Service Providers AI-in-a-Box
Resources
Support Documentation Blog Downloads
Company
About Research Careers Investment Opportunities Contact
Log in

What is ScaiVault

ScaiVault is a secrets and certificate management platform. It stores, versions, rotates, and distributes credentials — API keys, database passwords, TLS certificates, OAuth tokens — for every service across your tenancy. One API, one access model, one audit trail.

You integrate once. Your application asks ScaiVault for a secret by path and gets back the current value. The secret rotates, the policy changes, the certificate renews — your application keeps working without redeploying.

What it gives you#

One place for every secret. Static KV pairs, JSON blobs, API keys, SSH keys, X.509 certificates, database passwords. All live at addressable paths under a single API. Your application does GET /v1/secrets/environments/production/salesforce/api-key and gets back the current value.

Versioning, not replacement. Writing a new value creates a new version. The old version stays readable for a configurable grace period so mid-rotation workloads don't break. Version history is queryable for forensics.

Policies over paths. Access is controlled by policies that match glob patterns (environments/production/**) and bind to identities (users, groups, service accounts from ScaiKey). Add a rule once, every matching secret inherits it.

Rotation as a first-class feature. Define a rotation policy (interval: 90d, grace_period: 48h), attach it to secrets. ScaiVault rotates them on schedule, notifies webhooks before and after, keeps the old version accessible during grace, and writes an audit entry for every step.

Certificates without a separate PKI. ScaiVault ships an internal CA plus ACME (Let's Encrypt, ZeroSSL, BuyPass, Google) plus CSR-based external CA integration. Same API, same policies, same audit trail as the rest of your secrets. See PKI.

Dynamic credentials. Short-lived, purpose-generated database users, AWS IAM credentials, SSH keys. Your app asks for credentials, gets a lease, uses them, lets the lease expire. ScaiVault tears them down — no long-lived DB roots floating around.

Multi-tenant by default. Every secret is tagged with a tenant. Partners (think resellers or platform operators) can act across their tenants via an explicit /t/{tenant_id}/ prefix. ScaiKey provides the identity model; ScaiVault just enforces it.

Drop-in federation with HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager. Point ScaiVault at an existing store and consume through the ScaiVault API. Migrate one namespace at a time. See Federation.

What it's not#

  • Not a KMS. ScaiVault encrypts at rest and uses a KMS/HSM to protect the root key, but it isn't itself a signing or crypto service. If you need a FIPS 140-2 Level 3 HSM, use one — ScaiVault will use it.
  • Not an SSO provider. Authentication is delegated to ScaiKey. ScaiVault consumes ScaiKey-issued JWTs.
  • Not a password manager for humans. The UI has a secrets browser for operators, but the primary interface is the API. People who need to share passwords interactively want a different tool.

Who it's for#

  • Platforms serving multiple customer tenants that need per-tenant secret isolation plus a consistent operator experience.
  • Application teams integrating with dozens of third-party services and tired of secrets scattered across environment variables, CI secrets, and .env files.
  • Security teams who need a single audit trail for every credential read, written, or rotated across the stack.
  • Operators of self-hosted databases, internal CAs, or cloud IAM that want to issue short-lived credentials on demand instead of handing out long-lived keys.

What's next#

  • Philosophy — the design principles behind the API.
  • Architecture — how ScaiVault fits with ScaiKey, ScaiGrid, and the rest of the stack.
  • Quickstart — read and write your first secret in five minutes.
Updated 2026-05-17 13:26:50 View source (.md) rev 2