Documentation
Vouch replaces the static secrets your team manages today — AWS access keys, SSH keys, GitHub PATs, registry passwords — with short-lived credentials backed by a YubiKey. One tap, up to 8 hours of access, full audit trail.
New to Vouch? Start with the Getting Started guide to install the CLI and enroll your YubiKey.
Stop rotating access keys and managing credentials
Access AWS, servers, databases, and AI services with short-lived, hardware-backed tokens.
AWS
Stop distributing long-lived AWS access keys. Use OIDC federation to get temporary STS credentials backed by a YubiKey.
AWS Multi-Account
Deploy Vouch OIDC federation across multiple AWS accounts with Organizations, StackSets, and SCPs.
SSH Certificates
Eliminate authorized_keys management. Vouch issues SSH certificates that expire in 8 hours — no key distribution, no offboarding checklist.
Amazon EKS
Access EKS clusters using OIDC-federated IAM credentials instead of long-lived kubeconfig tokens.
Kubernetes
Access any Kubernetes cluster using OIDC tokens from Vouch — no cloud-specific plugins required.
SPIFFE
Connect hardware-verified developer identity to SPIFFE workload identity — federate Vouch OIDC tokens with SPIRE for zero-trust infrastructure.
AWS Systems Manager
Use AWS Systems Manager Session Manager with Vouch credentials to reach EC2 instances without opening SSH ports.
Databases
Replace static database passwords with 15-minute IAM auth tokens generated from hardware-backed credentials.
Infrastructure as Code
Run CDK, Terraform, SAM, and other IaC tools using short-lived AWS credentials from Vouch.
Amazon Bedrock
Connect to Amazon Bedrock foundation models using short-lived credentials with full audit trails.
Ship code without token juggling
Authenticate to GitHub, container registries, and package managers with a single YubiKey tap.
GitHub
Replace GitHub PATs with short-lived tokens generated from your hardware-backed Vouch session.
Docker Registries
Stop running docker login and storing plaintext credentials. Vouch generates registry tokens on demand for ECR and GHCR.
AWS CodeArtifact
Pull and publish packages from AWS CodeArtifact using hardware-backed credentials — no token files, no refresh scripts.
AWS CodeCommit
Clone and push to AWS CodeCommit repositories using short-lived credentials instead of HTTPS Git credentials or SSH keys.
Cargo
Use Vouch as a Cargo credential provider for private registries — no tokens in .cargo/config.toml.
More
Applications (OIDC)
Integrate Vouch as an OIDC provider in your web, SPA, or native app for hardware-verified authentication.
CLI Reference
Complete command reference for the Vouch CLI — login, credentials, setup, and configuration.
Admin Dashboard
Manage organization members, view audit logs, configure SCIM tokens, and enforce device posture policies from the Vouch admin dashboard.
Architecture
System components, protocols, and trust boundaries — how the Vouch CLI, agent, and server work together.
SCIM Provisioning
Sync users and groups from your identity provider to Vouch automatically using SCIM 2.0.
Security
How Vouch protects credentials at every layer — data flow, threat model, credential lifecycle, and supply chain integrity.
Device Posture
Enforce security requirements on developer devices before issuing credentials — disk encryption, firewalls, screen lock, endpoint protection, and more.
Threat Model
STRIDE-based threat analysis — threat actors, trust boundaries, assumptions, threats, and mitigations for the Vouch credential broker.
Availability
What happens when the Vouch server is unreachable — offline behavior, credential expiry, and blast radius.
SAML
Use SAML 2.0 identity providers with Vouch — Okta, Microsoft Entra ID, Google Workspace, and more.
CI/CD
Require a YubiKey tap before production deployments — hardware-verified identity embedded in every CI/CD credential.
Migration
Migrate from static credentials to Vouch — phased rollout, integration-by-integration checklist, and rollback plan.
FAQ
Common questions about Vouch — supported hardware, session behavior, platform support, and cost.