In week one. Not year one.
01
'Who has access to what' becomes a question answered in seconds, not a spreadsheet audit.
02
Weak, reused, and breached credentials show up on the health score before an attacker finds them.
03
Secrets leave .env files and repos, and the server never sees plaintext — even if compromised.
And the 1Password renewal stops being a line item — the replacement is an asset you own. Run your numbers →

What sets it apart
Zero-knowledge: AES-256-GCM with Argon2id — the platform never sees plaintext, ever
Vault Health dashboard: continuous scoring of weak, reused, aging, and breached credentials
Scoped sharing with time-limited grants and one-click revocation
Break-glass emergency access via trusted contacts — no master override key
Key Capabilities
Zero-knowledge Encryption
AES-256-GCM with Argon2id key derivation. Encrypted on device — the platform cannot access your secrets even if compromised.
Vault Health
Continuous security posture: weak, reused, aging, and breached credential detection with actionable remediation.
Scoped Sharing
Item or collection sharing with view/use/edit permissions, time-limited grants, and one-click revocation.
Emergency Access
Cryptographic break-glass via trusted contacts with configurable waiting periods — no master override weakens the encryption.
Hardened Auth
Passkeys, FIDO2, TOTP, biometrics, and hardware keys. Session inventory with per-device revocation.
Governance & Billing
Plan entitlements, usage metering, seat tracking, and invoice history — the operating dashboard for the security programme.
Who it’s for
One vault for every credential type — answer 'who has access to what' in seconds, not weeks of spreadsheet auditing.
SSH CA, dynamic credentials, Kubernetes injection, and developer CLI — no more .env files in repos.
Company-wide credential management with health scoring, breach monitoring, and hardened multi-factor authentication.
Perpetual Licence
OwnVault is available as a perpetual licence. You own the software forever. Deploy on your infrastructure. No annual renewals, no per-seat pricing, no vendor lock-in. Prefer OpEx? A managed subscription is available too — switch between the two anytime, nothing to re-buy.
Every screen here also works without the screen.
OwnVault implements the Own360 headless spec: a standard /api/v1 surface with OpenAPI, cursor pagination, idempotent writes, and entity.changed events — drivable from its own CLI, any HTTP client, MCP tools generated straight from its OpenAPI, and the OwnAgents runtime.
$ ownvault entities # 6 entities
$ ownvault secret list --limit 20
$ ownvault secret create --data '{…}'
$ ownvault domain unwrapThe generated OwnVault CLI — every entity and domain op, OwnAuth-authenticated, idempotent by default.
Entities
Domain ops
10 verified agent tasks · 3 cross-app workflows
- OwnComply → OwnVault — OwnComply policy created → OwnVault secret stored for evidence tag
- OwnVault → OwnComply — OwnVault key created for rotation -> OwnComply audit-trail entry recording the rotation evidence
- OwnVault → OwnFlow — OwnVault key -> OwnFlow rotation workflow named after the key id
Inside OwnVault
The full story — why it exists, what it replaces, every capability in detail, and real product screens.