Vault Modes
Vault Modes
Token Vault is webhook-sovereign. Credentials live on your self-hosted webhook server. Token Vault acts as the policy and identity plane only.
Token Vault is a webhook-sovereign architecture. Your credentials are stored on your own infrastructure — a webhook server you deploy and control. Token Vault holds no credentials, no encryption keys, and cannot decrypt what your webhook stores.
Loading diagram...
How It Works
Token Vault operates as two planes with strictly separated responsibilities:
| Plane | Where | Holds | Touches credentials? |
|---|---|---|---|
| Control plane | Token Vault (Cloud Run, api.tokenvault.uk) | identities, grants, policies, audit metadata, webhook URL + HMAC secret | No |
| Data plane | Your webhook (Cloudflare Workers / Cloud Run / Lambda / Deno) | credentials, encryption key, OAuth refresh | Yes — this is the custodian |
When an agent requests a credential:
- The agent sends
GET /api/agents/credentials?service=githubto Token Vault with itstvagent_…API key. - Token Vault validates the key, checks grants, and evaluates ABAC policies.
- Token Vault signs an HMAC-SHA256 ticket and returns a 307 redirect to your webhook's
/v1/credentialendpoint. - The agent follows the redirect and receives the credential directly from your webhook.
- Token Vault never sees the credential.
The Kill Switch
Taking your webhook offline instantly locks the vault:
- All agent credential requests fail (webhook unreachable).
- All MCP proxy requests return 503.
- OAuth refresh stops.
- Bring the webhook back online and everything resumes.
This is the emergency revocation mechanism — no action needed from Token Vault.