You issue keys. They leak.
Your dashboard generates an API key. The developer copies it into a .env file. Then into Slack. Then into a deploy script. Six months later, it shows up in a public GitHub repo. Your rotation docs gather dust because updating a key means redeploying every service that uses it.
The credential lifecycle is broken at the point of issuance. Keys should never be shown as copyable strings in the first place.
# Developer copies key from dashboard
$echo "STRIPE_SK=sk_live_4eC39H..." >> .env
# Shares with teammate on Slack
@davehere's the prod key: sk_live_4eC39H...
# Commits to git by accident
$git add . && git push
# sk_live_4eC39H... is now public
# Provider pushes key directly to vault
POST /api/v1/orgs/:org_id/providers/:id/push
{
"secret_name": "STRIPE_SK",
"value": "sk_live_new_rotated_key",
"environment": "production"
}
# User's app fetches at runtime
const stripe = new Stripe(
await fyvault.get("STRIPE_SK")
);
// Key rotated. Zero downtime. No .env touched.
Push credentials directly into vaults
Instead of showing your user a key to copy, push it straight into their FyVault organization. Their app reads it at runtime through the SDK. They never see the raw value.
When you rotate, push the new key. The old one is versioned automatically. Their services pick up the change on the next request. No redeployments. No migration guides. No support tickets.
How it works
Four steps. One API call from your side. The rest is automatic.
Provider
Your backend generates a credential for a user
FyVault API
POST the credential via the Provider API
User's Vault
Encrypted, stored, version-controlled
User's App
SDK fetches the key at runtime. No .env needed.
Three endpoints. That's it.
Register your provider, push credentials, and rotate them. Each call is authenticated with a fvprov_ token that your ops team generates in the FyVault dashboard.
1. Push a credential
Write or overwrite a secret in the user's vault for a given environment.
POST /api/v1/orgs/:org_id/providers/:id/push2. Rotate a credential
Push a new value. The previous version is kept for rollback.
PATCH /api/v1/orgs/:org_id/providers/:id3. Revoke a credential
Instantly invalidate a credential across all environments.
DELETE /api/v1/orgs/:org_id/providers/:id// Your backend — after key generation
const res = await fetch(
`https://api.fyvault.com/v1/orgs/${orgId}/providers/${providerId}/push`
, {
method: "POST",
headers: {
Authorization: `Bearer ${FYVAULT_PROVIDER_TOKEN}`,
"Content-Type": "application/json"
},
body: JSON.stringify({
secret_name: "STRIPE_SK",
value: newApiKey,
environment: "production"
})
});
// Done. The user's app picks it up at runtime.
Better for your users. Better for you.
Every credential you push through FyVault is one fewer leaked key, one fewer support ticket, and one more reason users trust your platform.
Zero support tickets about leaked keys
When credentials live in a vault instead of a .env file, they don't end up on GitHub. Your support queue gets lighter overnight.
Automated rotation your users actually use
Push a new key, and it appears in your user's vault instantly. No migration guide. No breaking change. No ticket asking how to update.
Full audit trail for every credential
Know exactly when a key was issued, rotated, accessed, or revoked. Per user, per environment, with timestamps and IP addresses.
Your users are automatically protected
Credentials are encrypted at rest with zero-knowledge encryption. Even if someone breaches FyVault's servers, the raw keys are unreadable.