Help Center← Back to Dashboard
Getting Started
What is Aithroyz?Quickstart: First EnvironmentCloud CredentialsPlans & Approvals
Environments
OverviewLifecycle PhasesTTL Auto-DestroyExtending TTLDestroying an Environment
Tools Reference
OverviewElastic Stack (SIEM)Wazuh (XDR)MITRE CalderaTheHive & DFIR-IRISVelociraptorOpenCTIGrafana + PrometheusShuffle SOARn8nUptime KumaLLM GatewayOpen WebUIFlowiseOpenClawOllamaQdrantLangfusePortainerGiteaSonarQubeCode ServerMattermostMinIOMetabaseHashiCorp VaultKeycloak SSONetBoxLocalStack
Access & Security
Google SSOTenant IsolationPasskeys & MFATeam Members
API & Integrations
API KeysMCP Tools (Clevername)Terraform ExportWebhooks & Callbacks
Stack Presets
SOC PlatformIR / DFIR LabThreat HuntingQuick Sandbox
Settings
Cloud KeysAPI KeysBillingAudit Log
Troubleshooting
Common IssuesDeployment FailuresDNS & ConnectivityTool Health Checks
Aithroyz Help
Help CenterTools ReferenceHashiCorp Vault

HashiCorp Vault (Secrets Management)

Vault stores API keys, passwords, and certificates centrally — apps authenticate and retrieve secrets at runtime instead of reading hardcoded env vars.

Aithroyz deploys Vault in dev mode for sandbox use. The root token is shown in the Credentials panel. For production use, initialize and unseal Vault properly using vault operator init and vault operator unseal.

Access

URL: https://vault.<env-name>.ops.aithroyz.com
Token: Root token shown in Environments detail → Credentials panel.

Storing and retrieving a secret

Vault's KV (key-value) secrets engine lets you store arbitrary key-value pairs at a path:

# Set the Vault address and token in your shell
export VAULT_ADDR="https://vault.<env-name>.ops.aithroyz.com"
export VAULT_TOKEN="<root-token-from-credentials-panel>"

# Write a secret
vault kv put secret/myapp   db_password="s3cur3p4ss"   api_key="abcd1234"

# Read it back
vault kv get secret/myapp

# Read a single field
vault kv get -field=db_password secret/myapp
✓
The KV secrets engine at secret/ is enabled by default in dev mode. In production, enable it explicitly with vault secrets enable -path=secret kv-v2.

Web UI

Vault ships with a built-in browser UI for exploring secrets without the CLI:

1.Open the Vault URL and enter your root token to log in.
2.Click Secrets in the left nav, then select the secret/ engine.
3.Click Create secret, enter a path (e.g. myapp/db), and add key-value pairs.
4.Saved secrets can be read, updated, or deleted from the same view.

Creating a scoped token

Avoid using the root token in applications. Create a policy that grants minimal access, then issue a short-lived token against it:

# Write a policy file (myapp-policy.hcl)
path "secret/data/myapp/*" {
  capabilities = ["read"]
}

# Upload the policy
vault policy write myapp ./myapp-policy.hcl

# Create a token with that policy and a 1-hour TTL
vault token create -policy=myapp -ttl=1h

# The output includes a token field — use that in your app
ℹ
Tokens inherit only the permissions defined in their policy. A token scoped to secret/data/myapp/* cannot read or write any other path.

Tips

Dynamic database credentials
Enable the database secrets engine and configure it with your DB connection. Vault issues short-lived, unique credentials per request — no more shared passwords across services.
Enable audit logging immediately
In sandbox use, enable file-based audit logging so every secret access is recorded. Run: vault audit enable file file_path=/vault/logs/audit.log
Use Vault in n8n workflows
Add an HTTP Request node in n8n pointing at your Vault URL with the X-Vault-Token header. Retrieve secrets at runtime in your workflow instead of hardcoding them in n8n credentials.
⚠
Dev mode stores all secrets in memory. They are lost when the Vault container restarts. For persistent secrets in a sandbox, initialize Vault properly with a file or cloud storage backend before storing anything critical.
Related Articles
n8n (Workflow Automation)Read article →Portainer (Container Management)Read article →