❯ spanna --vault
The Vault. Your connections, encrypted, on every device you sign in from.
Spanna Vault is the encrypted credential store at the heart of every Spanna client. Sign in once and your connections follow you across desktop, web, and mobile (preview) — without us ever being able to read them.
// What lives in your Vault. Encrypted at rest, decrypted only on your devices.
[
{ name: "prod · users", uri: "<encrypted>", auth: "x.509", folder: "production" },
{ name: "prod · events", uri: "<encrypted>", auth: "OIDC", folder: "production" },
{ name: "staging", uri: "<encrypted>", auth: "AWS IAM", folder: "staging" },
{ name: "local · dev", uri: "<encrypted>", auth: "user/pass", folder: null }
]
vault> // signed in: nick@spanna.app · synced: macOS, web, iPhone
vault> _❯ what you get
A credential store that does its job and stays out of the way
The Vault is the layer between your fingers and your databases. It should be invisible during normal use and bulletproof when something goes wrong.
encrypted
Your secrets, encrypted before they leave you
Connection strings, SSH keys, x.509 certs, and AWS IAM credentials are encrypted client-side with keys derived from your account. The Vault sees ciphertext; we literally cannot read what's inside.
everywhere
Same Vault, every surface
Sign in on desktop, web, or mobile (preview) and the same connections are there — saved, sorted, and ready. No re-typing connection strings on every device.
yours
Local-first when you want it
Desktop runs without an account at all — the Vault lives on your machine via the OS keychain (macOS Keychain, Windows DPAPI, libsecret on Linux). Sign in only when you want sync.
❯ ls vault/
What's in your Vault
Connection-related secrets, and only those. We don't store your MongoDB documents, query history, or anything you query through Spanna.
Connection strings
MongoDB URIs, including SRV records, replica set members, and connection options.
Auth credentials
Username/Password, OIDC, x.509 client certs, AWS IAM, Kerberos. Never URL-encoded into the URI.
SSH tunnel config
Bastion hosts, jump hosts, SSH keys (in-memory only on the web client; persisted on desktop).
Connection folders
How you organise the connection list — folder names, ordering, pinning.
# not in the Vault: query history (local on desktop, accountable on web), MongoDB documents (never persisted on our servers), saved queries (Pro feature, separate encrypted store).
❯ how the encryption works
Zero-knowledge by design
The Vault is end-to-end encrypted with keys we never see. Even with full access to the Vault servers, an attacker would only see ciphertext.
on desktop (no account)
OS keychain, no cloud
Credentials are stored in the platform keychain via Electron's safeStorage — macOS Keychain, Windows DPAPI, or libsecret on Linux. Nothing leaves your machine.
when you sign in
Client-side encryption first
Every secret is encrypted client-side with a PBKDF2-derived key before it touches our servers. The cloud Vault stores ciphertext blobs we can't decrypt.
cross-device unlock
Same Vault on every Spanna install
Sign in on a second machine and the encrypted Vault is delivered to it; the decryption key is derived from your password, never sent to us. Your connections appear; your secrets stay yours.
if something goes wrong
Always exportable, always resettable
Export your connection list any time. If a Vault gets stuck, reset it and re-save the affected credentials. No permanent lock-out path. See /docs/connections for the recovery flows.
roadmap
Coming soon — Team Vault
Shared encrypted Vaults for teams. Per-connection access control, audit logs of who unlocked what, SSO via SAML, and per-seat billing. Building it next.
Stop pasting connection strings into Slack.
encrypted · cross-device · free with a Spanna account