Vault Modes
Vault Modes
Choose between Platform Mode and Webhook Mode to control where your credentials are stored, how they are encrypted, and who can decrypt them.
When you set up Token Vault, you make one fundamental choice: how much control do you want over your credential storage and encryption? Token Vault offers two vault modes that sit at opposite ends of the trust spectrum.
Platform Mode is the simple path - Token Vault stores and encrypts everything for you. Webhook Mode gives you full data sovereignty by storing credentials on your own server with your own encryption key.
Loading diagram...
Comparison
| Feature | Platform | Webhook |
|---|---|---|
| Storage | Managed by Token Vault | Your server via webhook |
| Encryption | AES-256-GCM, Token Vault holds key | AES-256-GCM, your webhook owns key |
| Token Refresh | Server (automatic) | Server or your webhook |
| Setup Complexity | Zero config | Deploy a webhook server |
| Kill Switch | No | Yes - take webhook offline |
| Data Sovereignty | Data on Token Vault infrastructure | Data on your infrastructure |
| Zero-Knowledge | No - Token Vault can decrypt | Yes - Token Vault never sees credentials |
Which Should I Choose?
Choosing a vault mode
- Pick Platform Mode if you want to get started quickly, trust Token Vault to manage your credentials, and prefer zero maintenance.
- Pick Webhook Mode if you need full data sovereignty, compliance controls, or want a kill switch that instantly cuts off all access by taking your webhook offline.
You can switch modes later. Tokens are re-encrypted when you change modes.