ShrubberyDocs
Sign in

Vault

Definition

The server-side encrypted store that holds each user's BYOK API keys. Keys are encrypted at rest using AES-GCM; the encryption envelope key never leaves the server.

Avoid: keystore, secrets manager, key chain.

Role

The Vault is the technical mechanism behind BYOK. When a user sets a provider key in /settings, the raw key is encrypted via AES-GCM with a server-only envelope key and written to the byok_keys table. The encrypted blob is never transmitted to the client — only the token_prefix (the first characters of the original key) is shown to the user after storage.

At call time, resolveProviderAndKey() reads the encrypted blob from the Vault, decrypts it server-side, and injects it into the AI SDK call. The decrypted value never touches the client or the response payload.

Lifecycle

Not a stateful concept. The Vault is an infrastructure surface, not an entity with transitions.

  • WritesetByokKey encrypts and stores the key.
  • ReadresolveProviderAndKey() decrypts and injects the key at call time.
  • DeleteclearByokKey removes the encrypted record.

Last updated: 22 June 2026