. JSON.stringify is\n safe-by-construction. */\n gtag('config', \"G-VZF1EHLEDH\");\n ","id":"ga-init"}])
← All Products

System of Record · Engineering

OwnVault

Centralize. Encrypt. Share. Recover.

A zero-knowledge credential and secrets platform for teams responsible for keeping an organization's logins, API keys, and privileged access out of the wrong hands. Every credential type in one vault — logins, cards, SSH keys, API keys, licences, notes — with scoped sharing, continuous health scoring, and cryptographic emergency access.

Replaces1PasswordLastPassHashiCorp Vault
+

In week one. Not year one.

01

'Who has access to what' becomes a question answered in seconds, not a spreadsheet audit.

02

Weak, reused, and breached credentials show up on the health score before an attacker finds them.

03

Secrets leave .env files and repos, and the server never sees plaintext — even if compromised.

And the 1Password renewal stops being a line item — the replacement is an asset you own. Run your numbers →

AES-256GCM + Argon2id zero-knowledge
LiveHealth score across all credentials
ScopedSharing with time-limited grants
FIDO2Passkeys + hardware key support
OwnVault — actual product interface

What sets it apart

01

Zero-knowledge: AES-256-GCM with Argon2id — the platform never sees plaintext, ever

02

Vault Health dashboard: continuous scoring of weak, reused, aging, and breached credentials

03

Scoped sharing with time-limited grants and one-click revocation

04

Break-glass emergency access via trusted contacts — no master override key

Key Capabilities

01

Zero-knowledge Encryption

AES-256-GCM with Argon2id key derivation. Encrypted on device — the platform cannot access your secrets even if compromised.

02

Vault Health

Continuous security posture: weak, reused, aging, and breached credential detection with actionable remediation.

03

Scoped Sharing

Item or collection sharing with view/use/edit permissions, time-limited grants, and one-click revocation.

04

Emergency Access

Cryptographic break-glass via trusted contacts with configurable waiting periods — no master override weakens the encryption.

05

Hardened Auth

Passkeys, FIDO2, TOTP, biometrics, and hardware keys. Session inventory with per-device revocation.

06

Governance & Billing

Plan entitlements, usage metering, seat tracking, and invoice history — the operating dashboard for the security programme.

Who it’s for

Security Lead

One vault for every credential type — answer 'who has access to what' in seconds, not weeks of spreadsheet auditing.

Platform Engineer

SSH CA, dynamic credentials, Kubernetes injection, and developer CLI — no more .env files in repos.

IT Admin

Company-wide credential management with health scoring, breach monitoring, and hardened multi-factor authentication.

Perpetual Licence

OwnVault is available as a perpetual licence. You own the software forever. Deploy on your infrastructure. No annual renewals, no per-seat pricing, no vendor lock-in. Prefer OpEx? A managed subscription is available too — switch between the two anytime, nothing to re-buy.

Every screen here also works without the screen.

OwnVault implements the Own360 headless spec: a standard /api/v1 surface with OpenAPI, cursor pagination, idempotent writes, and entity.changed events — drivable from its own CLI, any HTTP client, MCP tools generated straight from its OpenAPI, and the OwnAgents runtime.

$ ownvault entities            # 6 entities
$ ownvault secret list --limit 20
$ ownvault secret create --data '{…}'
$ ownvault domain unwrap

The generated OwnVault CLI — every entity and domain op, OwnAuth-authenticated, idempotent by default.

Entities

secretvaultpolicyaccess_grantaudit_eventkey

Domain ops

unwraprotate

10 verified agent tasks · 3 cross-app workflows

  • OwnComply → OwnVaultOwnComply policy created → OwnVault secret stored for evidence tag
  • OwnVault → OwnComplyOwnVault key created for rotation -> OwnComply audit-trail entry recording the rotation evidence
  • OwnVault → OwnFlowOwnVault key -> OwnFlow rotation workflow named after the key id

See the full task catalog in the agent runtime →

Inside OwnVault

The full story — why it exists, what it replaces, every capability in detail, and real product screens.

Read the deep dive →