Skip to main content
GhostStack
Menu
Navigation

credential-types

Credential Types

Typed credentials

Vault does not treat secrets as opaque strings. Every credential stored in Vault has a type, and that type determines how the credential is validated, displayed, rotated, and audited. This approach catches configuration errors early (a malformed database URL is rejected at storage time, not at runtime) and provides richer audit log entries.

Supported types

Vault supports six credential types:

API Keys — String tokens used to authenticate with external APIs. The most common credential type. Vault stores the key value and optional metadata like the service name, environment, and key prefix.

OAuth Tokens — OAuth 2.0 access tokens with optional refresh tokens and expiration metadata. Vault tracks token expiry independently of lease TTLs, so you know when the underlying token needs to be refreshed versus when the lease expires.

SSH Keys — SSH private keys with optional passphrases. Vault validates the key format (RSA, Ed25519, ECDSA) on storage and can store the corresponding public key as metadata.

TLS Certificates — Certificate and private key pairs for TLS. Vault parses the certificate to extract the subject, issuer, and expiration date, making it easy to track certificate lifecycles.

Database URLs — Connection strings for databases. Vault validates the URL format and extracts the host, port, database name, and driver type as structured metadata.

Generic Secrets — Any secret that does not fit the other five types. Use this for custom tokens, license keys, encryption keys, or any other sensitive string.

Choosing a type

If a credential fits one of the five specific types, use that type rather than generic-secret. Typed credentials give you:

  • Validation — Vault checks the credential format when you store it. A database URL with an invalid scheme is rejected immediately.
  • Structured metadata — Vault extracts meaningful fields from the credential automatically. An SSH key’s algorithm and fingerprint are available without parsing the key yourself.
  • Type-aware rotation — Rotation strategies can be tailored to the credential type. OAuth tokens with refresh tokens can be rotated automatically when the access token expires.
  • Better audit context — Audit log entries include type-specific details, making it easier to filter and search.

Creating a typed credential

import { Vault } from '@ghoststack/vault-sdk';

const vault = await Vault.connect({
  tenant: 'my-org',
  token: process.env.VAULT_TOKEN,
});

// The type determines validation behavior
await vault.credentials.create({
  name: 'prod-postgres',
  type: 'database-url',
  value: 'postgresql://user:pass@db.example.com:5432/myapp',
  metadata: {
    environment: 'production',
    team: 'backend',
  },
});

Type-specific pages

Each credential type has its own documentation page with storage examples, validation rules, metadata fields, and rotation guidance. Use the links above or the sidebar to browse them.