How are credentials encrypted?

Every credential is encrypted with AES-256-GCM using a fresh 12-byte initialization vector per credential. The ciphertext, IV, and 16-byte authentication tag are stored in separate columns. Plaintext is never returned by list queries and only decrypts server-side during an authorized reveal.

Does it create an audit trail?

Yes. Every action (vendor edits, credential CRUD, access requests, approvals, denials, reveals, rotations, member changes, and auth events) is written to an append-only audit log with timestamp, actor, IP, and user agent. The full log is filterable, searchable, and exportable as CSV.

Vendor access without the chaos.

Q: Is Vendor Access Vault free?

Yes. Vendor Access Vault is free to use. Sign up, create an organization, invite your team, and start vaulting vendor credentials with no paid account required.

Q: How does just-in-time access work?

Viewers cannot see credential plaintext until they submit an access request with a justification and a duration. An admin or owner approves, denies, or shortens the requested window. Access auto-expires when the window closes, and a daily cron also expires pending requests older than seven days. Every reveal writes a credential.viewed audit entry with actor, IP, and user agent.

Q: Does it support two-factor authentication?

Yes. TOTP-based two-factor authentication is built in via Auth.js v5. Google OAuth is also supported alongside email and password. Cloudflare Turnstile guards signup, login, password reset, and verification resends to keep bots out of the front door.

Stop sharing API keys in Slack. Stop wondering who can see what. Vendor Access Vault stores credentials with AES-256-GCM encryption, gates plaintext reveals behind just-in-time access requests with admin approval and auto-expiration, and writes an append-only audit log of every action with actor, IP, and user agent.

Open Vendor Access Vault See all products

What Vendor Access Vault covers

AES-256-GCM credential encryption (per-cred IV)
Just-in-time access with admin approval and auto-expiry
Append-only audit log with CSV export
Vendor directory with risk metadata and renewal dates
Rotation tracking with cron emails and atomic revocation
RBAC (owner / admin / viewer) with multi-tenant org isolation
TOTP two-factor authentication and Google OAuth
Cloudflare Turnstile bot protection on auth flows
Cmd+K commander, in-app notifications, vendor comments

vendorvault.orygn.tech

Vendor Access Vault landing page with vendor directory and risk metadata

How it works

Vault credentials, gate reveals behind approvals, log every action.

Vendor Access Vault replaces shared passwords and Slack DMs with a structured workflow. Credentials are encrypted at rest, plaintext is locked behind just-in-time access requests, and every reveal is recorded in an append-only audit log.

Add the vendor and vault the credential

Track every SaaS, contractor, and integration in a vendor directory with owner, criticality, compliance flags, data access, and renewal date. Credentials are encrypted with AES-256-GCM using a fresh IV per credential and the ciphertext never appears in list queries.

Viewer requests, admin approves the window

Viewers cannot see plaintext until they file a request with a justification and a duration. Admins approve, deny, or shorten the window. Approved access auto-expires when the window closes, and a daily cron also expires pending requests older than seven days.

Every reveal is logged, every rotation revokes

Reveals decrypt server-side and write a credential.viewed entry with actor, IP, and user agent. When a credential is rotated, all active access for it is revoked atomically in the same transaction and each requester is notified by email. Filter, search, and export the full audit log to CSV.

Features

Encrypted at rest, gated at access, logged at every step.

AES-256-GCM credential encryption

Each credential is encrypted with a fresh 12-byte IV and a 32-byte key from environment. The ciphertext, IV, and 16-byte authTag are stored in separate columns and the encrypted columns are explicitly excluded from list queries so plaintext never even leaves the database during normal browsing.

Just-in-time access requests

Viewers submit a request with justification and duration. Admins approve, deny, or shorten the window. Approved access expires automatically and a daily cron also expires pending requests older than seven days. Reveals only decrypt server-side and only when a non-expired approval exists.

Append-only audit log with CSV export

Every action writes an immutable audit entry with actor, IP, user agent, and timestamp. Vendor edits, credential CRUD, requests, approvals, denials, reveals, denied reveals, rotations, member changes, and auth events all flow through the same log. Filter, search, and stream the result to CSV.

Vendor directory with risk metadata

Track every SaaS, contractor, and integration with owner, criticality, compliance status, data access classification, and renewal date. Filter by status, criticality, and tag. The dashboard surfaces what is due for review and what is overdue for rotation.

Rotation tracking with atomic revocation

Each credential has a rotation period. A daily cron finds credentials within 14 days of their due date and emails the owner plus admins. When a credential is marked rotated, all active access for it is revoked atomically in the same transaction and each requester gets an email. The Rotation Center adds mark-rotated, snooze, and disable actions in one place.

RBAC with multi-tenant org isolation

Three roles (owner, admin, viewer) with last-owner protection that prevents accidentally locking the org out of itself. Path-scoped multi-tenancy at /app/[orgSlug]/... with middleware enforcing auth and membership on every request. Every database query is filtered by orgId at the ORM layer.

TOTP 2FA, OAuth, and Turnstile

Auth.js v5 handles email and password plus Google OAuth. TOTP-based two-factor authentication is built in. Cloudflare Turnstile guards signup, login, password reset, and verification resends. Auth events (login, logout, 2FA enable, password reset) all write audit entries.

Cmd+K commander, notifications, comments

A Cmd+K palette navigates the app and runs common actions. An in-app notifications inbox with an unread badge surfaces approvals, denials, and rotation reminders. Vendor comment threads keep context next to the work. A help overlay opens with the ? key.

Built with

Strict TypeScript, Postgres-backed, encryption-first.

Vendor Access Vault runs on Next.js 16 with App Router and Server Actions, Neon Postgres with Drizzle ORM, and Auth.js v5 for authentication. AES-256-GCM credential encryption is implemented with the Node crypto module. Resend handles transactional email and Cloudflare Turnstile gates the auth flows. Tested with 101 Playwright E2E specs.

Next.js 16 TypeScript (strict) Neon Postgres Drizzle ORM Auth.js v5 AES-256-GCM TOTP 2FA Resend + React Email Cloudflare Turnstile Tailwind 4 Shadcn UI Framer Motion Playwright (101 E2E tests) Vercel Cron

FAQ

Common questions about Vendor Access Vault.

Yes. Sign up, create an organization, invite your team, and start vaulting vendor credentials with no paid account required.

Every credential is encrypted with AES-256-GCM using a fresh 12-byte IV per credential. The ciphertext, IV, and 16-byte authTag are stored in separate columns. Plaintext is never returned by list queries and only decrypts server-side during an authorized reveal.

Viewers cannot see credential plaintext until they submit a request with a justification and a duration. An admin or owner approves, denies, or shortens the requested window. Access auto-expires when the window closes, and a daily cron also expires pending requests older than seven days. Every reveal writes a credential.viewed audit entry with actor, IP, and user agent.

Each credential has a rotation period. A daily cron scans for credentials within 14 days of their rotation due date and emails the owner plus admins. When a credential is marked rotated, all active approved access for it is revoked atomically in the same transaction and each requester is notified by email.

Yes. TOTP-based 2FA is built in via Auth.js v5. Google OAuth is also supported alongside email and password. Cloudflare Turnstile guards signup, login, password reset, and verification resends.

Organizations are path-scoped at /app/[orgSlug]/... and middleware enforces auth and membership on every request. Every database query is filtered by orgId at the ORM layer with no cross-tenant leakage path. Roles are owner, admin, and viewer, with last-owner protection.

Yes. Vendor edits, credential CRUD, access requests, approvals, denials, reveals, denied reveals, rotations, member changes, and auth events all flow through the same append-only log with actor, IP, user agent, and timestamp. The full log is filterable, searchable, and exportable as CSV.

Yes. Vendor Access Vault is a production application covering vendor directory, encrypted credentials, just-in-time access, rotation tracking, audit log, and CSV export. If you need on-prem deployment, SSO, custom integrations, or organization-specific workflows, Orygn can build that as a custom engagement.

Built by Orygn

Vendor Access Vault is one of several tools Orygn has built to make access governance practical for growing teams.

Orygn builds custom software, internal tools, and security-focused systems for small businesses and growing teams. Vendor Access Vault is a production application built on encryption-first primitives, just-in-time access, and append-only audit, with the same engineering bar Orygn applies to client work.

Open Vendor Access Vault