Vault

Encrypt, store, and control access to sensitive data

WorkOS Vault is a developer-friendly EKM to encrypt and optionally store data including tokens, passwords, certificates, files, and any other customer content.

Get started
Read the docs

Powerful

Multiple layers of encryption protect data while keeping keys secure.

Simple

Encrypt content by using metadata to identify data keys.

Flexible

Store data directly in Vault or generate keys for use in applications.

Encryption Key Management (EKM) for enterprise-ready security

WorkOS Vault provides secure storage and strict access control for any type of secret data, with encryption of individual keys backed by an HSM.

Bring-Your-Own-Key (BYOK) for the ultimate data control

Modern enterprise customers demand encryption with managed key services. WorkOS Vault integrates directly with AWS KMS, GCP KMs, Azure Key Vault, and HashiCorp Vault.

Context-based key generation for cryptographic isolation

WorkOS Vault provides data segmentation by creating unique encryption keys tied to the user, organization, and other supplied metadata.

Z
R
1
T
I
h
9
0
B
c
X
f
m
i

Powerful encryption. Simple integration.

The WorkOS API enables adding Enterprise Ready features to your application. This REST API provides programmatic access to version-controlled secrets and data encryption keys.

Read the docs
Get your API key
Node.js example

import { WorkOS } from '@workos-inc/node';

const workos = new WorkOS('sk_example_123456789');

const organization = await workos.organizations.getOrganization(
  'org_01EHZNVPK3SFK441A1RGBFSHRT',
);

const secret = await workos.vault.createSecret({
  name: 'external_api_key',
  value: 'supersecretapikey',
  context: { organizationId: organization.id },
});

Secure by design

Data stays protected across its lifecycle - encrypted in transit, in use, and at rest.

Easy by default

WorkOS Vault comes with guardrails so you don't shoot yourself in the foot.

Your keys or ours

Use WorkOS Vault hosted keys, attach your own, or let your customers bring their KMS.

EKM without the headache

HSM, CMK, KEK, DEK... disregard the acronyms and use encryption with simple tools.

Zero trust. Full control. Enterprise-ready security.

Any secret, anywhere in the stack

Encrypt all secret and sensitive data, including passwords, API tokens, customer PII, or payment information.

Envelope encryption and per-customer key segmentation

Generate data encryption keys to cryptographically protect data stored in internal systems. All keys are scoped to organizations, sessions or arbitrary context for optimized compute speed.

Audit every interaction with secret values

  • Detailed log of all activity through observability telemetry.
  • Pipe audit events into log aggregators, SOARs or SIEMs to monitor secret use.

On-demand key rotation and revocation

  • Rotate keys on demand, on a schedule, or any sequence using Vault's flexible key context.
  • Restrict access to data by revoking keys which disables decryption.

Field-level encryption for content separation

  • Scope encryption keys using content metadata to create logical segregation.
  • Encrypt entire objects or individual fields based on data sensitivity.

Keep it secret. Keep it safe.

Request access to begin securing sensitive data and secrets in your app today.

Get started
Read the docs
Vault Quick Start

Jump into the docs and get protected in minutes.

Read the launch blog

Learn about all of Vault's features that enhance your security

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.