FyVault

Secrets

Secrets are the core resource in FyVault. A secret represents a credential that your application needs.

Secret Types

API Key

For HTTP-based APIs like OpenAI, Stripe, Twilio. FyVault intercepts outbound HTTP requests and injects the key into the specified header.

Injection config:

FieldDescriptionExample
target_hostAPI hostnameapi.openai.com
target_portAPI port (usually 443)443
header_nameHTTP header nameAuthorization
header_templateHeader value formatBearer {{value}}
proxy_portLocal proxy port19001

Your .env change:

.envenv
# Before
OPENAI_API_KEY=sk-proj-real-key

# After
OPENAI_API_KEY=FYVAULT::openai_api_key

Database Credential

For PostgreSQL, MySQL, etc. FyVault runs a transparent protocol-aware proxy with native database protocol support.

Injection config:

FieldDescriptionExample
db_typeDatabase enginepostgresql
target_hostReal DB hostnamemydb.rds.amazonaws.com
target_portReal DB port5432
proxy_portLocal proxy port5433
usernameDB usernamemyapp
databaseDatabase nameproduction

Your .env change:

.envenv
# Before
DATABASE_URL=postgres://myapp:secretpassword@mydb.rds.amazonaws.com:5432/production

# After
DATABASE_URL=postgres://myapp@localhost:5433/production

AWS Credential

For AWS SDKs. Uses the standard credential_process mechanism.

Your ~/.aws/config change:

~/.aws/configini
[profile default]
credential_process = fyvault-shim aws

Generic

For any other secret that you want securely stored and available on your device. No automatic injection — your application reads it via the FyVault CLI or SDK.

Secret Versioning

Every update creates a new version. Previous versions are retained for audit purposes. You can view the version history and roll back to any previous version from the secret detail page.

Encryption Modes

Zero-Knowledge (Client)

Encrypted in your browser. Cloud never sees plaintext. Requires vault passphrase to decrypt. This is the recommended mode.

Server

Encrypted with AWS KMS envelope encryption. Legacy mode — use zero-knowledge for new secrets.