About

What is Vouch

Vouch is a hardware-backed authentication system for developer infrastructure. It replaces long-lived secrets – SSH keys, AWS access keys, GitHub tokens, Docker credentials – with short-lived, cryptographically attested credentials. No credential is ever issued without proof of human presence via a FIDO2/WebAuthn security key.

If your team spends time rotating AWS keys, copying SSH public keys to servers, managing GitHub PATs, or running aws ecr get-login-password cron jobs, Vouch eliminates all of it with a single YubiKey tap each morning.

How it works

1. Sign in through your organization’s identity provider (SSO).
2. Register a security key (one-time enrollment of a YubiKey or compatible FIDO2 key).
3. Tap your key each workday to get 8 hours of credentials for every integrated service.

After a single vouch login, credential helpers for SSH, AWS, GitHub, EKS, Docker, Cargo, AWS CodeArtifact, and AWS CodeCommit provide tokens on demand – transparently and without any long-lived secrets on disk.

Security model

• Physical hardware key + PIN – Every credential issuance requires a FIDO2 assertion: physical touch of the security key and knowledge of the PIN. Software alone cannot obtain credentials.
• Phishing-resistant – FIDO2 credentials are cryptographically bound to the Vouch server origin. They cannot be replayed against a different site.
• Short-lived credentials – All issued credentials (SSH certificates, OIDC tokens, AWS STS sessions) expire after a maximum of 8 hours. There is nothing to revoke and nothing to rotate.
• Full audit trail – Every credential issuance is logged with the authenticated identity, hardware key attestation, and timestamp.

Integrations

Vouch provides native credential helpers for:

• SSH – Short-lived certificates signed by your organization’s CA
• AWS – STS credentials via OIDC federation
• GitHub – Short-lived repository access tokens
• Amazon EKS – Kubernetes authentication via IAM
• Docker – Container registry authentication (ECR, GHCR)
• Cargo – Private Cargo registry authentication
• AWS CodeArtifact – Package repository authentication
• AWS CodeCommit – Git repository authentication
• AWS Systems Manager Session Manager – Secure shell access through AWS Systems Manager
• Database Authentication – IAM authentication for RDS, Aurora, and Redshift
• Infrastructure as Code – CDK, Terraform, SAM, and other IaC tools
• CI/CD Integration – Human authorization gates for deployment pipelines
• AI Model Access – Hardware-verified access to Amazon Bedrock
• OIDC Applications – “Sign in with Vouch” for your own applications

Open source

The Vouch CLI and agent are open source under the Apache-2.0 / MIT dual license. The server source is available under the BSL 1.1 license, which converts to Apache-2.0 after 2 years. Security tools should be auditable.

• GitHub Repository

Company

Vouch is built by Smoke Turner, LLC.