Skip to content
VaultTerm
Browse docs

Get Started

Credential Vault

Terminal & SSH

Teams & Organizations

Browser Extension

Privacy-First AI

Self-Hosting

Administration

Configuration Reference

Security & Architecture

API & Integrations

Troubleshooting & FAQ

credential-vault

Sharing and rotation

Share secrets as encrypted, revocable, time-boxed grants instead of plaintext pastes, and rotate weak or old credentials through a guided workflow.

Updated Jun 23, 2026

Two of the most error-prone things teams do with secrets are sharing them and changing them. VaultTerm handles both inside the vault, under the same audit trail as everything else, so neither becomes a plaintext-in-a-chat-window moment.

Sharing secrets

Sharing in VaultTerm assigns access, it does not copy a value into a message. A secret is shared with a team or a vault, and the recipient’s access is governed by a role — see Roles and permissions for the full hierarchy.

  • Role-based. A share grants one of OWNER, ADMIN, EDITOR or VIEWER on the resource.
  • Encrypted, not pasted. The secret stays envelope-encrypted; the recipient gets access through the vault rather than a copy of the plaintext.
  • Revocable. A share can be withdrawn, and access ends — there is no stray copy to chase down.
  • Time-boxed. A share can be issued for a limited window so access expires on its own.
  • Audited. Issuing, using and revoking a share all land in the audit trail.

This replaces the usual pattern of pasting a password into chat: instead of a plaintext value you can never un-send, you grant scoped, revocable, time-limited access that is on the record.

Rotating credentials

A credential is only as good as how fresh it is. VaultTerm’s health scanner flags secrets that are weak, old or reused (see Credential health), and rotation turns that flag into an action.

  • Guided workflow. An AI copilot walks through rotating a flagged credential rather than leaving you to do it by hand.
  • Update-in-place over the broker. For a credential used on a host reachable through the SSH broker, rotation can update the remote value in place — changing it on the target system over the brokered SSH connection and storing the new value in the vault in the same step.
  • Audited end to end. The rotation and the resulting change are recorded.

Entitlement

The guided, copilot-driven rotation that updates remote values in place is a PRO+ capability, gated by the cloud_ai entitlement. Plans below that tier can still see health findings and rotate secrets manually.

Where to go next

All docs · Ask a question