managed vault

For the secrets that would end you if they leaked.

Not your 500 SaaS logins. The handful of secrets that would genuinely hurt if they leaked: API keys, database credentials, master passwords, recovery codes, legal documents, anything you can't simply reset. Locked on your device before it leaves the page. We only ever store the scrambled version. We never see the original.

Open vault client Get a free API key

Your vault, in the dashboard.

The vault is a single zero-knowledge store in your dashboard. Inventory and Add / fetch are tabs; the SDK, CLI, and MCP hit the same store programmatically.

// the doing surface

Vault client — in your browser

Type a secret, set one password, store it. Fetch it back the same way. Everything is locked on your device before it reaches the server, so we only ever hold the scrambled version. The same place you'd come to read an API key or recovery code back when you need it. Free with any account.

Open the browser client →
// the seeing surface

Vault inventory — in your dashboard

Lists every item you've stored, however you stored it: browser client, SDK, CLI, MCP server. Relabel, recategorise, delete, add, or fetch secrets from the dashboard tabs. Metadata only, the server never decrypts your ciphertext.

Open the inventory →

Don't have an account yet? Get a free API key (10 seconds, no card).

How it works.

1

You type your secret

API key, password, credential, anything. It stays in your browser.

2

Encrypted locally

Your password is turned into a key on your device using Argon2id, a deliberately slow method built to resist guessing. That key locks the data with AES-256-GCM, the same standard used by banks and governments. All in your browser, nothing sent in the clear.

3

Only the locked version is stored

Just the scrambled blob reaches our server. We cannot read it. We cannot unlock it. By design, not by promise.

The bit people ask about.

One password, that's it?

Yes. This is your private vault. Only you open it, so one strong password is all that stands between you and your secret, and all we ever need. (The two-password setup with a decoy belongs to our encrypt tool, which is for handing someone a believable fake under pressure. A private vault has nobody to fool.)

What if I forget it?

There is no reset, no security question, no support route in. We never hold your password or your key, so we genuinely cannot recover it for you. That is the trade for us never being able to read your vault either.

Can deny.sh see what I store?

No. The locking happens on your device and only the scrambled version reaches us. Under a court order or a breach, there is nothing readable for anyone to hand over.

What you get.

Categories and search

Organise by type: API keys, passwords, recovery codes, notes. Search across everything instantly.

Edit in place

Update a secret without deleting and re-creating. Re-encrypts client-side on every save.

Export everything

One-click encrypted export of your entire vault. Your data is yours. Take it anywhere.

Auto-lock

Vault locks after 5 minutes of inactivity. Decrypted secrets are cleared from memory. Clipboard auto-clears after 30 seconds.

API access

Full REST API for every vault operation. Build your own tools, automate backups, integrate with CI/CD.

Audit trail

Every store, retrieve, update, and delete is logged with timestamp and IP. Available on paid plans.

Pricing.

Vault storage is included with every deny.sh plan.

Free

$0
  • 25 vault items
  • Client-side encryption
  • Categories and search
  • Export
Get started

Dev

$99/mo
  • 1,000 vault items
  • Everything in Free
  • Edit in place
  • Audit trail
  • API access
Upgrade

Pro

$199/mo
  • 10,000 vault items
  • Everything in Dev
  • Priority support
  • Higher API limits
Upgrade

Need geographic redundancy, SLA, or compliance documentation? Talk to us.

Your backup is only as good as where you keep it.

Store it somewhere that can't read it.

Open vault client