Token Vault
Vault Modes

Vault Modes

Token Vault is webhook-sovereign. Credentials live on your self-hosted webhook server. Token Vault acts as the policy and identity plane only.

Token Vault is a webhook-sovereign architecture. Your credentials are stored on your own infrastructure — a webhook server you deploy and control. Token Vault holds no credentials, no encryption keys, and cannot decrypt what your webhook stores.

Loading diagram...

How It Works

Token Vault operates as two planes with strictly separated responsibilities:

PlaneWhereHoldsTouches credentials?
Control planeToken Vault (Cloud Run, api.tokenvault.uk)identities, grants, policies, audit metadata, webhook URL + HMAC secretNo
Data planeYour webhook (Cloudflare Workers / Cloud Run / Lambda / Deno)credentials, encryption key, OAuth refreshYes — this is the custodian

When an agent requests a credential:

  1. The agent sends GET /api/agents/credentials?service=github to Token Vault with its tvagent_… API key.
  2. Token Vault validates the key, checks grants, and evaluates ABAC policies.
  3. Token Vault signs an HMAC-SHA256 ticket and returns a 307 redirect to your webhook's /v1/credential endpoint.
  4. The agent follows the redirect and receives the credential directly from your webhook.
  5. Token Vault never sees the credential.

The Kill Switch

Taking your webhook offline instantly locks the vault:

  • All agent credential requests fail (webhook unreachable).
  • All MCP proxy requests return 503.
  • OAuth refresh stops.
  • Bring the webhook back online and everything resumes.

This is the emergency revocation mechanism — no action needed from Token Vault.

On this page