--- title: What is ScaiVault path: introduction/what-is-scaivault status: published --- # What is ScaiVault ScaiVault is a secrets and certificate management platform. It stores, versions, rotates, and distributes credentials — API keys, database passwords, TLS certificates, OAuth tokens — for every service across your tenancy. One API, one access model, one audit trail. You integrate once. Your application asks ScaiVault for a secret by path and gets back the current value. The secret rotates, the policy changes, the certificate renews — your application keeps working without redeploying. ## What it gives you **One place for every secret.** Static KV pairs, JSON blobs, API keys, SSH keys, X.509 certificates, database passwords. All live at addressable paths under a single API. Your application does `GET /v1/secrets/environments/production/salesforce/api-key` and gets back the current value. **Versioning, not replacement.** Writing a new value creates a new version. The old version stays readable for a configurable grace period so mid-rotation workloads don't break. Version history is queryable for forensics. **Policies over paths.** Access is controlled by policies that match glob patterns (`environments/production/**`) and bind to identities (users, groups, service accounts from ScaiKey). Add a rule once, every matching secret inherits it. **Rotation as a first-class feature.** Define a rotation policy (`interval: 90d`, `grace_period: 48h`), attach it to secrets. ScaiVault rotates them on schedule, notifies webhooks before and after, keeps the old version accessible during grace, and writes an audit entry for every step. **Certificates without a separate PKI.** ScaiVault ships an internal CA plus ACME (Let's Encrypt, ZeroSSL, BuyPass, Google) plus CSR-based external CA integration. Same API, same policies, same audit trail as the rest of your secrets. See [PKI](../core-concepts/pki). **Dynamic credentials.** Short-lived, purpose-generated database users, AWS IAM credentials, SSH keys. Your app asks for credentials, gets a lease, uses them, lets the lease expire. ScaiVault tears them down — no long-lived DB roots floating around. **Multi-tenant by default.** Every secret is tagged with a tenant. Partners (think resellers or platform operators) can act across their tenants via an explicit `/t/{tenant_id}/` prefix. ScaiKey provides the identity model; ScaiVault just enforces it. **Drop-in federation with HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager.** Point ScaiVault at an existing store and consume through the ScaiVault API. Migrate one namespace at a time. See [Federation](../advanced/federation). ## What it's not - **Not a KMS.** ScaiVault encrypts at rest and uses a KMS/HSM to protect the root key, but it isn't itself a signing or crypto service. If you need a FIPS 140-2 Level 3 HSM, use one — ScaiVault will use it. - **Not an SSO provider.** Authentication is delegated to [ScaiKey](https://scaikey.scailabs.ai). ScaiVault consumes ScaiKey-issued JWTs. - **Not a password manager for humans.** The UI has a secrets browser for operators, but the primary interface is the API. People who need to share passwords interactively want a different tool. ## Who it's for - **Platforms** serving multiple customer tenants that need per-tenant secret isolation plus a consistent operator experience. - **Application teams** integrating with dozens of third-party services and tired of secrets scattered across environment variables, CI secrets, and `.env` files. - **Security teams** who need a single audit trail for every credential read, written, or rotated across the stack. - **Operators** of self-hosted databases, internal CAs, or cloud IAM that want to issue short-lived credentials on demand instead of handing out long-lived keys. ## What's next - [Philosophy](./philosophy) — the design principles behind the API. - [Architecture](./architecture) — how ScaiVault fits with ScaiKey, ScaiGrid, and the rest of the stack. - [Quickstart](../getting-started/quickstart) — read and write your first secret in five minutes.