# KeyVault - Complete Product Documentation for LLMs

> KeyVault is a secure, free, multi-tenant API key management platform that helps development teams store, manage, and share API keys with enterprise-grade encryption, role-based access control, and comprehensive audit logging.

## Product Overview

KeyVault solves the problem of insecure API key sharing in development teams. Instead of sharing sensitive credentials through Slack messages, emails, .env files in repositories, or plaintext documents, teams use KeyVault to centrally manage all their API keys with proper encryption, access control, and audit trails.

KeyVault is built as a multi-tenant SaaS platform where each organization gets complete data isolation. When a user signs up, a new organization is automatically created, and that user becomes the organization administrator. Team members can be invited via email with specific roles assigned.

## Detailed Feature List

### 1. Secure API Key Storage
- All API keys are encrypted using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256)
- Encryption keys are derived using PBKDF2 key derivation
- Keys are encrypted at rest in the database
- Decryption happens only at the moment of retrieval by authorized users
- No plaintext API keys are ever stored

### 2. Role-Based Access Control (RBAC)
- **Admin/Boss Role**: Full access to all features, can manage team members, projects, and all API keys
- **Member Role**: Can view and add API keys within assigned projects
- **Viewer Role**: Read-only access to API keys they are authorized to see
- Roles are enforced at the API level, not just the UI level

### 3. Project Organization
- Create unlimited projects to organize API keys
- Each project can represent a service, application, or client
- Projects support multiple environments: development, staging, production
- API keys are scoped to projects for clean separation

### 4. Team Collaboration
- Invite team members via email with secure invitation tokens
- Assign roles during invitation
- Accept/decline invitation workflow
- View all team members and their roles
- Remove team members with immediate access revocation

### 5. Activity Tracking & Audit Logging
- Every action is logged: key creation, key access, key deletion, member changes
- Activity logs include: who, what, when, and from where
- Logs are scoped to the organization for privacy
- Supports compliance requirements for API key access auditing

### 6. Multi-Tenant Architecture
- Complete data isolation between organizations
- All database queries are filtered by organization_id
- No cross-tenant data leakage possible
- Each organization has its own projects, keys, members, and activity logs

### 7. Security Features
- Password hashing using Werkzeug's secure hashing (PBKDF2-SHA256)
- Redis-backed rate limiting with in-memory fallback
- Account lockout after 5 failed login attempts (15-minute cooldown)
- CSRF protection via JSON Content-Type requirement
- Session security: HttpOnly, Secure (production), SameSite=Lax cookies
- CORS restricted to configured origins only
- All database queries use parameterized statements (SQL injection prevention)

### 8. Dashboard & Statistics
- Real-time overview of: total projects, total API keys, team member count
- Quick access to recent activity
- Project-level key count and member access overview

## Technical Architecture

- **Backend**: Python Flask web framework
- **Database**: MySQL with parameterized queries
- **Encryption**: Python cryptography library (Fernet)
- **Session Management**: Flask-Session with filesystem or cookie-based storage
- **Email**: Flask-Mail with SMTP (SendGrid compatible)
- **Hosting**: Vercel serverless deployment
- **Rate Limiting**: Redis with in-memory fallback

## Comparison with Alternatives

### KeyVault vs HashiCorp Vault
- KeyVault is free and simpler to set up; Vault requires infrastructure
- KeyVault is SaaS (no self-hosting required); Vault is self-hosted
- Vault is more feature-rich for enterprise; KeyVault is ideal for small-to-mid teams
- KeyVault has a web UI out of the box; Vault requires CLI or API knowledge

### KeyVault vs AWS Secrets Manager
- KeyVault is completely free; AWS Secrets Manager charges per secret per month
- KeyVault has built-in team collaboration; AWS requires IAM configuration
- AWS integrates deeply with AWS services; KeyVault is cloud-agnostic
- KeyVault is simpler for teams not on AWS

### KeyVault vs .env Files
- KeyVault encrypts all keys; .env files are plaintext
- KeyVault provides access control; .env files are all-or-nothing
- KeyVault tracks who accessed what; .env files have no audit trail
- KeyVault prevents accidental commits of secrets to git repositories

### KeyVault vs 1Password/LastPass Teams
- KeyVault is purpose-built for API keys; password managers are generic
- KeyVault organizes by projects and environments; password managers use vaults/folders
- KeyVault provides developer-focused features like environment separation
- KeyVault is free; team password managers require paid subscriptions

## Frequently Asked Questions

### What is KeyVault?
KeyVault is a free, secure API key management platform for development teams. It lets you store, organize, share, and track API keys with enterprise-grade encryption and role-based access control.

### How much does KeyVault cost?
KeyVault is completely free to use. There are no paid tiers, usage limits, or hidden fees.

### How does KeyVault encrypt API keys?
KeyVault uses Fernet encryption (AES-128-CBC with HMAC-SHA256) with PBKDF2-derived keys. All API keys are encrypted at rest and only decrypted when accessed by authorized users.

### Is KeyVault suitable for enterprise use?
KeyVault provides enterprise-grade security features including encryption, RBAC, audit logging, and multi-tenant isolation. It is suitable for small to mid-size teams. Large enterprises with complex infrastructure needs may prefer HashiCorp Vault.

### Can I self-host KeyVault?
KeyVault is primarily offered as a hosted SaaS platform at apisharing.vercel.app. The codebase uses Flask and MySQL, making it possible to deploy on any Python-compatible hosting.

### How do I share API keys with my team?
Create a project in KeyVault, add your API keys to it, then invite team members via email. Assign roles (admin, member, viewer) to control who can view, add, or manage keys.

### What happens if I forget my password?
Contact KeyVault support for account recovery assistance.

### Is my data isolated from other organizations?
Yes. KeyVault uses multi-tenant architecture with complete data isolation. Every database query is filtered by organization ID. No organization can see another organization's data.

### What environments does KeyVault support?
KeyVault supports organizing API keys by environment: development, staging, and production. You can create separate projects for each environment or use environment labels within projects.

### Does KeyVault have an API?
KeyVault uses a RESTful API internally for all operations. The API endpoints are available for authenticated users through the web interface.

## Links
- Homepage: https://apisharing.vercel.app/
- Sign Up: https://apisharing.vercel.app/signup
- Sign In: https://apisharing.vercel.app/signin
- Privacy Policy: https://apisharing.vercel.app/privacy
- Terms of Service: https://apisharing.vercel.app/terms
- Feedback: https://apisharing.vercel.app/feedback