Break-Glass Access

Emergency access to secrets when normal approval workflows are too slow. Time-limited, fully audited, and auto-revoked.

How it works

A break-glass session grants temporary elevated access. Every session has a TTL (max 4 hours), a required justification reason, and triggers Slack notifications to org admins. When the TTL expires, access is automatically revoked.

CLI

# Start a break-glass session (max 4 hours)
fyvault break-glass create \
  --reason "Production database outage" \
  --ttl 2h

# Read a secret during the session
fyvault break-glass get DATABASE_URL

# End the session early
fyvault break-glass revoke bgr_session_id

Node.js

import { FyVault } from "@fyvault/sdk";

const fv = new FyVault({ accessToken: "fv_live_...", orgId: "org_acme" });

const session = await fv.breakGlass.create({
  reason: "Production database outage",
  ttlSeconds: 7200, // 2 hours
});

console.log(session.token); // fvbg_...

const dbUrl = await fv.breakGlass.getSecret(session.id, "DATABASE_URL");

// Revoke early
await fv.breakGlass.revoke(session.id);

Python

from fyvault import FyVault

fv = FyVault(access_token="fv_live_...", org_id="org_acme")

session = fv.break_glass.create(
    reason="Production database outage",
    ttl_seconds=7200,
)

db_url = fv.break_glass.get_secret(session.id, "DATABASE_URL")

fv.break_glass.revoke(session.id)

Audit trail

Every break-glass session records: who initiated it, the reason, which secrets were accessed, when the session started and ended, and the IP address. View the full audit log in the dashboard under Security → Break-Glass History.

Slack notifications

Configure a Slack webhook in Settings → Integrations → Slack. When a break-glass session is created, all org admins receive an alert with the user, reason, and TTL.