What makes Vault different from 1Password or Bitwarden?

1Password and Bitwarden are password managers designed for humans. They work through browser extensions and desktop apps where a person manually copies a password. Vault is designed for both humans and AI agents. Credentials are accessed programmatically through a TypeScript SDK or MCP server, every access is attributed to a specific identity (human or agent), and credentials are leased with time limits rather than checked out permanently. If your workflow involves AI coding tools that need API keys and database credentials at runtime, Vault provides a structured protocol for that. 1Password and Bitwarden do not.

How does Vault compare to HashiCorp Vault?

HashiCorp Vault is a mature, general-purpose secrets management tool designed for infrastructure teams managing large-scale deployments. It supports dynamic secrets, secret engines for dozens of backends, and complex policy languages. GhostStack Vault is narrower in scope and more opinionated. It focuses on six credential types, agent attribution, MCP-based access for AI coding tools, and a simpler setup process. If you need dynamic database credentials generated on the fly or complex policy trees across hundreds of services, HashiCorp Vault is the better fit. If you need a credential manager that your AI agents can use natively through MCP with full audit attribution, GhostStack Vault is purpose-built for that.

How does Vault compare to Doppler?

Doppler is a secrets manager focused on environment variable synchronization across deployment environments. It syncs secrets to your CI/CD pipeline, cloud provider, and local development environment. Vault takes a different approach: instead of syncing secrets everywhere, Vault keeps credentials centralized and distributes them through short-lived leases. This means credentials are never written to .env files or deployment configurations. They are requested at runtime, used for the duration of the lease, and automatically expire. Doppler is a good fit for teams that want their secrets available as environment variables everywhere. Vault is a better fit for teams that want to minimize where credentials exist and track exactly who accessed them.

Is Vault a password manager?

Not in the traditional sense. Vault does not store website login passwords, credit card numbers, or personal identity documents. It stores development and infrastructure credentials: API keys, OAuth tokens, SSH keys, TLS certificates, database connection strings, and other secrets that developers and AI agents use to build and operate software.

Can I use Vault with Claude Code?

Yes. Vault’s MCP server integrates directly with Claude Code. Once configured, Claude Code can request credentials naturally during a coding session. The MCP server creates a time-limited lease, attributes the access to the Claude Code agent, and returns the credential value. The entire interaction is logged. See the MCP with Claude Code guide for setup instructions.

Can I use Vault with Cursor?

Yes. The Vault MCP server works with any AI coding tool that supports the Model Context Protocol. Cursor supports MCP servers, so you can configure Vault the same way you would for Claude Code. See the MCP Server Reference for Cursor-specific configuration.

What happens when a lease expires?

When a lease reaches its TTL, it transitions to the expired state. The credential value is no longer accessible through that lease. The agent or developer must create a new lease to access the credential again, and that new lease is logged as a separate audit event. No data is deleted during lease expiry. The credential remains in Vault; only the lease’s access window closes.

Can I renew a lease?

Yes, active leases can be renewed before they expire. Renewal extends the lease from the current time up to the credential’s maximum TTL. If a lease has already expired, it cannot be renewed; you must create a new one. See Leasing and TTLs for details.

What encryption does Vault use?

AES-256-GCM for encrypting credential values. Each credential has its own data encryption key (DEK). DEKs are wrapped with tenant-scoped key encryption keys (KEKs) derived via HKDF-SHA-256 from a root key stored in an HSM or cloud KMS. See Encryption Envelope for the full cryptographic architecture.

Can I import credentials from my current password manager?

Vault supports importing from 1Password and Bitwarden. The CLI importer reads export files, automatically detects credential types, and creates credentials in your Vault tenant. See Importing from 1Password and Importing from Bitwarden for step-by-step instructions.

What credential types does Vault support?

Six types: API keys, OAuth tokens, SSH keys, TLS certificates, database URLs, and generic secrets. Each type has specific validation rules and metadata extraction. See Credential Types for details on each type.

Is there a free plan?

Yes. The Free plan includes a limited number of credentials and 30-day audit log retention. See the pricing page for plan details and limits.

How do I rotate a credential?

Call vault.credentials.rotate() with the credential name and new value. The old value transitions to the rotated state. Active leases continue using the old value until they expire, and new leases receive the updated value. This provides zero-downtime rotation. See Credential Model for lifecycle details.

What happens if Vault goes down?

If the Vault API is unreachable, new lease requests will fail. However, credential values that have already been retrieved through active leases remain usable until the lease expires. Vault does not phone home to validate active leases; the expiry is enforced at the client level. This means temporary Vault outages do not break active agent workflows.

Where is my data stored?

By default, tenant data is stored in GhostStack’s cloud infrastructure. Enterprise plan customers can choose a specific geographic region for data residency or deploy Vault in their own infrastructure. See Compliance for data residency options.

How do I report a security vulnerability?

Send an email to security@ghoststack.dev. We follow responsible disclosure practices and will acknowledge your report within 48 hours. See Security for details.