Vouch: Hardware-Backed Developer Credentials
Touch your key. Get credentials for everything. Vouch is an open-source credential broker that issues short-lived SSH keys, AWS sessions, GitHub tokens, and Kubernetes configs after a single FIDO2 hardware verification.
Modern developer credentials are broken
Credential sprawl
SSH keys from 2019. AWS access keys in plaintext. GitHub PATs that never expire. Every tool has its own long-lived secret.
No presence verification
Existing MFA verifies devices, not humans. A compromised laptop with cached credentials is indistinguishable from its owner.
AI agents with full access
AI coding assistants get your credentials with no scoping, no audit trail, and no way to distinguish human from agent actions.
How it works
One tap, every credential, all day.
Touch your YubiKey
FIDO2 verification with PIN ensures a human is present. Phishing-resistant by design.
Vouch issues credentials
Short-lived, scoped, hardware-attested, and bound to your device. SSH certificates, AWS sessions, GitHub tokens.
Your tools just work
Native integration with SSH, AWS CLI, git, kubectl, docker, and cargo. No wrappers.
Integrations
Native support for the tools your team already uses.
AWS
credential_process for seamless STS federation
SSH
Signed certificates, no more authorized_keys
GitHub
Short-lived tokens via git credential helper
Kubernetes
exec plugin for kubectl and EKS
Docker
Native credential helper for ECR and GHCR
Cargo
Private registry authentication
AWS CodeArtifact
Package repository tokens for pip, npm, Cargo
AWS CodeCommit
Git credential helper for AWS repositories
Give AI agents credentials, not your keys
Grant scoped, time-limited credentials to AI coding assistants. Full audit trails cryptographically distinguish human actions from agent actions. Revoke instantly.
Open source and auditable
Vouch's CLI and agent are open source under Apache-2.0/MIT. The server source is available under BSL 1.1 (converts to Apache-2.0 after 2 years). Security tools should be auditable.