Documentation

Vouch replaces the static secrets your team manages today — AWS access keys, SSH keys, GitHub PATs, registry passwords — with short-lived credentials backed by a YubiKey. One tap, up to 8 hours of access, full audit trail.

New to Vouch? Start with the Getting Started guide to install the CLI and enroll your YubiKey.

Getting Started

Install the Vouch CLI, enroll your YubiKey, and replace static secrets with hardware-backed credentials in minutes.

Startups

Skip IAM users, access keys, and IAM Identity Center. Go from Google Workspace to AWS in minutes with OIDC federation.

Stop rotating access keys and managing credentials

Access AWS, servers, databases, and AI services with short-lived, hardware-backed tokens.

AWS

Stop distributing long-lived AWS access keys. Use OIDC federation to get temporary STS credentials backed by a YubiKey.

AWS Multi-Account

Deploy Vouch OIDC federation across multiple AWS accounts with Organizations, StackSets, and SCPs.

SSH Certificates

Eliminate authorized_keys management. Vouch issues SSH certificates that expire in 8 hours — no key distribution, no offboarding checklist.

Amazon EKS

Access EKS clusters using OIDC-federated IAM credentials instead of long-lived kubeconfig tokens.

AWS Systems Manager

Use AWS Systems Manager Session Manager with Vouch credentials to reach EC2 instances without opening SSH ports.

Databases

Replace static database passwords with 15-minute IAM auth tokens generated from hardware-backed credentials.

Amazon Bedrock

Connect to Amazon Bedrock foundation models using short-lived credentials with full audit trails.

Ship code without token juggling

Authenticate to GitHub, container registries, and package managers with a single YubiKey tap.

GitHub

Replace GitHub PATs with short-lived tokens generated from your hardware-backed Vouch session.

Docker Registries

Stop running docker login and storing plaintext credentials. Vouch generates registry tokens on demand for ECR and GHCR.

AWS CodeArtifact

Pull and publish packages from AWS CodeArtifact using hardware-backed credentials — no token files, no refresh scripts.

AWS CodeCommit

Clone and push to AWS CodeCommit repositories using short-lived credentials instead of HTTPS Git credentials or SSH keys.

Cargo

Use Vouch as a Cargo credential provider for private registries — no tokens in .cargo/config.toml.

Integrate Vouch into your workflow

Add hardware-verified identity to CI/CD pipelines, IaC tools, your own apps, and user provisioning.

Applications (OIDC)

Integrate Vouch as an OIDC provider in your web, SPA, or native app for hardware-verified authentication.

SCIM Provisioning

Sync users and groups from your identity provider to Vouch automatically using SCIM 2.0.

Infrastructure as Code

Run CDK, Terraform, SAM, and other IaC tools using short-lived AWS credentials from Vouch.

CI/CD

Require a YubiKey tap before production deployments — hardware-verified identity embedded in every CI/CD credential.

CLI Reference

Complete command reference for the Vouch CLI — login, credentials, setup, and configuration.

Security

How Vouch protects credentials at every layer — data flow, threat model, credential lifecycle, and supply chain integrity.

Threat Model

STRIDE-based threat analysis — threat actors, trust boundaries, assumptions, threats, and mitigations for the Vouch credential broker.

Architecture

System components, protocols, and trust boundaries — how the Vouch CLI, agent, and server work together.

Availability

What happens when the Vouch server is unreachable — offline behavior, credential expiry, and blast radius.

Migration

Migrate from static credentials to Vouch — phased rollout, integration-by-integration checklist, and rollback plan.

FAQ

Common questions about Vouch — supported hardware, session behavior, platform support, and cost.