Skip to main content

Documentation Index

Fetch the complete documentation index at: https://stackauth-e0affa27-chore-move-mcp-to-a-sep-app.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Data Vault is an encrypted key-value store built into Stack Auth. It lets you securely store sensitive data — API tokens, connection strings, secrets, or any other values — without ever exposing plaintext to Stack Auth’s database or operators.

How it works

Data Vault uses a double encryption design:
  1. Client-side encryption — Your SDK encrypts values and hashes keys locally before they leave your server, using a secret that only you know. Stack Auth never sees your plaintext keys or values.
  2. Server-side encryption — Stack Auth adds a second layer of envelope encryption using a rotating master key, so even the encrypted data at rest is further protected.
Because keys are hashed before storage, you cannot list or enumerate keys in a store. You must know the exact key to retrieve a value.
If you lose your secret, your data is unrecoverable. Even Stack Auth cannot decrypt your values without it. Keep your secret safe and backed up.

Setup

1. Create a store

Go to your project’s Data Vault page in the Stack Auth dashboard and create a new store. Each store has a unique ID that you’ll reference in your code.

2. Generate a secret

Your secret can be any string, but for strong security it should be at least 32 characters long and provide 256 bits of entropy. Store it as an environment variable:
.env
STACK_DATA_VAULT_SECRET=your-randomly-generated-secret-here

3. Use the SDK

Data Vault is accessed through the server app only — it requires your secret server key.
server-example.ts
const store = await stackServerApp.getDataVaultStore("my-store-id");

const key = user.id;

// Store a value
await store.setValue(key, "my-sensitive-value", {
  secret: process.env.STACK_DATA_VAULT_SECRET,
});

// Retrieve a value
const value = await store.getValue(key, {
  secret: process.env.STACK_DATA_VAULT_SECRET,
});
// value is the decrypted string, or null if the key doesn't exist

API reference

getDataVaultStore(id)

Returns a DataVaultStore object for the given store ID. The store must already exist in your project config (created via the dashboard). 
const store = await stackServerApp.getDataVaultStore("my-store-id");

store.getValue(key, { secret })

Retrieves the decrypted value for the given key, or null if the key doesn’t exist. 
const value = await store.getValue("some-key", {
  secret: process.env.STACK_DATA_VAULT_SECRET,
});

store.setValue(key, value, { secret })

Stores an encrypted value for the given key. If the key already exists, it is overwritten. 
await store.setValue("some-key", "some-value", {
  secret: process.env.STACK_DATA_VAULT_SECRET,
});

Security model

  • Keys are hashed with an iterated hash (100,000 iterations) derived from your secret and the logical key. The server only stores the hash.
  • Values are encrypted client-side using a derived key from the same secret + key pair, then re-encrypted server-side with KMS envelope encryption.
  • Your secret never leaves your server. Stack Auth’s API only receives hashed keys and double-encrypted values.
  • No enumeration — since only hashed keys are stored, there is no way to list all keys in a store. This is a deliberate security property.

Use cases

  • Storing third-party API tokens — safely persist user-specific tokens for external services
  • Connection strings — store database or service connection strings per-tenant
  • Encryption keys — use Data Vault as a key store for your own application-level encryption
  • Any sensitive per-user data — anything you don’t want in plaintext metadata fields