Vault your secrets
Encrypted secrets, type-safe feature flags, runtime configuration, audit trails, and secret rotation — tenant-scoped, plugin-extensible, and composable.
go get github.com/xraph/vaultEverything you need for application secrets
Vault handles the hard parts — encryption, tenant isolation, flag evaluation, config resolution, and audit logging — so you can focus on your application.
Secrets Management
AES-256-GCM encrypted, versioned secrets with automatic nonce generation. Store, retrieve, and rotate secrets with full audit trails.
svc := secret.NewService(store, encryptor) err := svc.Set(ctx, "db-password", []byte("s3cret!"), secret.WithMetadata(map[string]string{ "env": "production", }),) val, _ := svc.Get(ctx, "db-password")"text-fd-muted-foreground/60 italic">// val = []byte("s3cret!")Feature Flags
Type-safe flag evaluation with targeting rules, tenant overrides, percentage rollouts, and schedule-based activation.
engine := flag.NewEngine(store)svc := flag.NewService(engine, store) dark, _ := svc.Bool(ctx, "dark-mode", false)limit, _ := svc.Int(ctx, "rate-limit", 100)model, _ := svc.String(ctx, "ai-model", "gpt-4o")"text-fd-muted-foreground/60 italic">// dark=true, limit=250, model="gpt-4o"Runtime Config
Type-safe configuration with Duration, JSON, and Watch support. Override resolution chains config sources with per-tenant overrides.
svc := config.NewService(store) ttl, _ := svc.Duration(ctx, "cache-ttl", 5*time.Minute) svc.Watch(ctx, "cache-ttl", func(key string, val any) { cache.SetTTL(val.(time.Duration)) })Secret Rotation
Schedule-based automatic rotation with custom rotator functions. Define policies per secret and let the manager handle the lifecycle.
mgr := rotation.NewManager(store, secretSvc) mgr.RegisterRotator("db-password", func(ctx context.Context) ([]byte, error) { pw := generatePassword(32) return []byte(pw), nil }) mgr.Start(ctx) "text-fd-muted-foreground/60 italic">// runs on policy scheduleMulti-Tenant Isolation
Every operation is scoped to tenant and app via context. Cross-tenant access is structurally impossible at the store layer.
ctx = scope.WithAppID(ctx, "myapp")ctx = scope.WithTenantID(ctx, "tenant-1")ctx = scope.WithUserID(ctx, "user-42") "text-fd-muted-foreground/60 italic">// All secret, flag, config operations"text-fd-muted-foreground/60 italic">// are automatically scoped to this tenantPlugin System
Register plugins that implement any of 8 capability interfaces. The registry auto-discovers capabilities via type-switch.
reg := plugin.NewRegistry()reg.Register(&DatadogPlugin{})reg.Register(&SlackAlertsPlugin{}) "text-fd-muted-foreground/60 italic">// Auto-discovered capabilities:"text-fd-muted-foreground/60 italic">// - OnInit, OnShutdown"text-fd-muted-foreground/60 italic">// - OnSecretAccess, OnConfigChange"text-fd-muted-foreground/60 italic">// - RotationStrategyFrom request to secure response.
Vault orchestrates the entire operation lifecycle — tenant scoping, secret decryption, flag evaluation, and audit recording.
Automatic Tenant Scoping
Every secret, flag, and config operation is stamped with TenantID and AppID from context. Isolation is enforced at the store layer — no tenant can access another's data.
AES-256-GCM Encryption
Secrets are encrypted with AES-256-GCM using unique nonces. Ciphertext is stored as nonce‖encrypted bytes. Key rotation and crypto-shredding are built in.
Append-Only Audit Trail
Every access, mutation, and failure is logged with actor, resource, action, severity, and outcome. Wire in custom recorders via the audit hook extension.
Simple API. Powerful primitives.
Store an encrypted secret and evaluate a feature flag in under 20 lines. Vault handles encryption, scoping, and resolution.
1package main2 3import (4 "context"5 "log"6 7 "github.com/xraph/vault"8 "github.com/xraph/vault/crypto"9 "github.com/xraph/vault/scope"10 "github.com/xraph/vault/secret"11 "github.com/xraph/vault/store/memory"12)13 14func main() {15 ctx := context.Background()16 st := memory.New()17 enc := crypto.NewEncryptor("my-32-byte-encryption-key-here!")18 19 svc := secret.NewService(st, enc)20 21 ctx = scope.WithAppID(ctx, "myapp")22 ctx = scope.WithTenantID(ctx, "tenant-1")23 24 "text-fd-muted-foreground/60 italic">// Store an encrypted secret25 _ = svc.Set(ctx, "api-key",26 []byte("sk-live-abc123"))27 28 "text-fd-muted-foreground/60 italic">// Retrieve and decrypt29 val, _ := svc.Get(ctx, "api-key")30 log.Printf("secret: %s", val)31 "text-fd-muted-foreground/60 italic">// secret: sk-live-abc12332}1package main2 3import (4 "context"5 "fmt"6 7 "github.com/xraph/vault/flag"8 "github.com/xraph/vault/scope"9 "github.com/xraph/vault/store/memory"10)11 12func main() {13 ctx := context.Background()14 st := memory.New()15 16 engine := flag.NewEngine(st)17 svc := flag.NewService(engine, st)18 19 ctx = scope.WithAppID(ctx, "myapp")20 ctx = scope.WithTenantID(ctx, "tenant-1")21 22 "text-fd-muted-foreground/60 italic">// Type-safe flag evaluation23 dark, _ := svc.Bool(ctx, "dark-mode", false)24 limit, _ := svc.Int(ctx, "rate-limit", 100)25 model, _ := svc.String(ctx, "ai-model", "gpt-4o")26 27 fmt.Printf("dark=%v limit=%d model=%s\n",28 dark, limit, model)29 "text-fd-muted-foreground/60 italic">// dark=true limit=250 model=gpt-4o30}Start building with Vault
Add encrypted secrets, feature flags, and runtime configuration to your Go service in minutes. Vault handles encryption, tenant isolation, and audit trails out of the box.
go get github.com/xraph/vault