Documentation

Vouch replaces the static secrets your team manages today — AWS access keys, SSH keys, GitHub PATs, registry passwords — with short-lived credentials backed by a YubiKey. One tap, up to 8 hours of access, full audit trail.

New to Vouch? Start with the Getting Started guide to install the CLI and enroll your YubiKey.

Choose your path

For developers

Install the CLI, enroll your YubiKey, and verify your first hardware-backed session.

Start the guide

For admins

Configure organization settings, identity lifecycle, SAML, and device posture policies.

Admin dashboard · SCIM · SAML · Device posture

For security review

Review the credential lifecycle, trust boundaries, failure modes, and migration path.

Security · Threat model · Architecture · Availability · Migration

For startups

Go from Google Workspace to AWS access without IAM users, access keys, or Identity Center.

Use the startup path

Start here

Choose the fastest path for your first Vouch rollout.

Startups

Skip IAM users, access keys, and IAM Identity Center. Go from Google Workspace to AWS in minutes with OIDC federation.

Getting Started

Install the Vouch CLI, enroll your YubiKey, and replace static secrets with hardware-backed credentials in minutes.

Connect infrastructure

Access AWS, servers, Kubernetes, databases, and AI services with short-lived, hardware-backed tokens.

AWS

Stop distributing long-lived AWS access keys. Use OIDC federation to get temporary STS credentials backed by a YubiKey.

AWS Multi-Account

Deploy Vouch OIDC federation across multiple AWS accounts with Organizations, StackSets, and SCPs.

SSH Certificates

Eliminate authorized_keys management. Vouch issues SSH certificates that expire in 8 hours — no key distribution, no offboarding checklist.

Amazon EKS

Access EKS clusters using OIDC-federated IAM credentials instead of long-lived kubeconfig tokens.

Kubernetes

Access any Kubernetes cluster using OIDC tokens from Vouch — no cloud-specific plugins required.

SPIFFE

Connect hardware-verified developer identity to SPIFFE workload identity — federate Vouch OIDC tokens with SPIRE for zero-trust infrastructure.

AWS Systems Manager

Use AWS Systems Manager Session Manager with Vouch credentials to reach EC2 instances without opening SSH ports.

Databases

Replace static database passwords with 15-minute IAM auth tokens generated from hardware-backed credentials.

Infrastructure as Code

Run CDK, Terraform, SAM, and other IaC tools using short-lived AWS credentials from Vouch.

Amazon Bedrock

Connect to Amazon Bedrock foundation models using short-lived credentials with full audit trails.

Ship code

Authenticate to GitHub, container registries, package managers, and AWS developer services with one YubiKey-backed session.

GitHub

Replace GitHub PATs with short-lived tokens generated from your hardware-backed Vouch session.

Docker Registries

Stop running docker login and storing plaintext credentials. Vouch generates registry tokens on demand for ECR and GHCR.

AWS CodeArtifact

Pull and publish packages from AWS CodeArtifact using hardware-backed credentials — no token files, no refresh scripts.

AWS CodeCommit

Clone and push to AWS CodeCommit repositories using short-lived credentials instead of HTTPS Git credentials or SSH keys.

Cargo

Use Vouch as a Cargo credential provider for private registries — no tokens in .cargo/config.toml.

Operate Vouch

Manage users, identity providers, device posture, application sign-in, and deployment approval workflows.

Applications (OIDC)

Integrate Vouch as an OIDC provider in your web, SPA, or native app for hardware-verified authentication.

Admin Dashboard

Manage organization members, view audit logs, configure SCIM tokens, and enforce device posture policies from the Vouch admin dashboard.

SCIM Provisioning

Sync users and groups from your identity provider to Vouch automatically using SCIM 2.0.

Device Posture

Enforce security requirements on developer devices before issuing credentials — disk encryption, firewalls, screen lock, endpoint protection, and more.

SAML

Use SAML 2.0 identity providers with Vouch — Okta, Microsoft Entra ID, Google Workspace, and more.

CI/CD

Require a YubiKey tap before production deployments — hardware-verified identity embedded in every CI/CD credential.

Evaluate security

Review the architecture, threat model, availability behavior, migration approach, FAQ, and CLI reference.

CLI Reference

Complete command reference for the Vouch CLI — login, credentials, setup, and configuration.

Architecture

System components, protocols, and trust boundaries — how the Vouch CLI, agent, and server work together.

Security

How Vouch protects credentials at every layer — data flow, threat model, credential lifecycle, and supply chain integrity.

Threat Model

STRIDE-based threat analysis — threat actors, trust boundaries, assumptions, threats, and mitigations for the Vouch credential broker.

Availability

What happens when the Vouch server is unreachable — offline behavior, credential expiry, and blast radius.

Migration

Migrate from static credentials to Vouch — phased rollout, integration-by-integration checklist, and rollback plan.

FAQ

Common questions about Vouch — supported hardware, session behavior, platform support, and cost.