scanner docs insights pricing sign in
// enterprise demo · split-key secrets · edge proxy

The security boundary your team can actually ship.

VaultProof removes raw third-party API keys from apps, agents, CI jobs, and fleet-facing services. The rollout stays practical: keep the SDK, swap the base URL, push a project identifier, and make policy visible.

start pilot see architecture
what changes
base URL + project ID
what disappears
plaintext provider keys
best first buyer
security + platform
vaultproof.dev / enterprise-demo / scanner.log
live evidence
npx @vaultproof/init scan .
walking tree 1,247 files · 318,402 lines · 812ms
9 providers matched · 8 exposed
!! apps/web/.env.production:4 openai sk-proj-7Yx9qL2v...M3nQpK unsplit
!! services/worker/src/client.ts:8 anthropic sk-ant-api03-kR9...xT4 hardcoded
!! .git/objects/pack/HEAD~4 openai sk-proj-kZ4p...REDACTED history
proposed: split 7 live keys · rewrite 4 files
policy gateway / live enterprise view
traffic healthy
inputs

apps, agents, CI, device gateways

  • web runtime
  • copilot jobs
  • github actions
  • fleet control plane
vaultproof layer

policy before the upstream call

VAULTPROOF_PROJECT_ID=vp-proj-enterprise
OPENAI_BASE_URL=https://init.vaultproof.dev/p/openai/v1
outcomes

origin lock, logs, revoke, spend caps

  • per-route policy
  • per-provider routing
  • fast revoke
  • budget controls
01 / stakeholder language

The same platform lands differently for each buyer.

The handoff design leaned into a dense, buyer-ready walkthrough. This section keeps that shape, but lets security, platform, and product leaders read the same control plane through their own risk model.

CISO View

Remove raw third-party keys from the highest-risk surfaces.

The pitch for security leaders is simple: secrets managers still hand plaintext keys to apps and pipelines. VaultProof keeps the key out of those environments entirely, then adds enforceable runtime policy on the calls that remain.

02 / before and after

Make the boundary visible in one screenful.

The design bundle centered the scanner as proof. For enterprise-demo, the equivalent move is a sharp before-and-after: where the raw key used to exist, and what the app receives after VaultProof is in the path.

before

Plaintext secret spread across runtime surfaces.

OPENAI_API_KEY=sk-proj-abc123...
STRIPE_SECRET_KEY=sk_live_xyz789...
Lives in .env, CI variables, agent context, or config screens.
A repo leak, browser mistake, or compromised runner can use the raw credential immediately.
Incident response becomes “rotate everything and hope you found every copy.”
after vaultproof

Project-scoped access plus policy, not a copied provider key.

VAULTPROOF_PROJECT_ID=vp-proj-enterprise
OPENAI_BASE_URL=https://init.vaultproof.dev/p/openai/v1
policy

Origin lock, IP rules, route restrictions, and budget caps all apply before the upstream call.

audit

See which project, which provider, which route, and when the request happened.

response

Revoke or disable centrally without touching every codebase, repo, runner, or service.

rollout

Keep the provider SDK. Change the env values. Pilot in a stack the team already ships.

03 / comparison

Different from vaults because the whole key never needs to sit there.

The original landing exploration added a comparison matrix after iteration. That belongs here too because enterprise buyers ask it fast: why this instead of Doppler, Infisical, or just another `.env` workflow?

capability
vaultproofvp-proj-...
dopplerenv sync
infisicalvault + api
.envplain file
Key never exists whole on disk
yes
no
no
no
Transparent provider proxy
yes
no
no
no
Works with unmodified SDKs
yes
yes
yes
yes
Built-in exposed-key scanner
built-in
add-on
partial
no
Origin-locked project access
yes
no
no
no
Zero plaintext at rest in one store
yes
no
no
no
04 / use cases

One control model across apps, CI, and connected systems.

The design notes called out web, CI/CD, IoT, and cars explicitly. That same coverage belongs here because it widens the enterprise motion without changing the core product story.

Web App Pattern

Browser and backend share one policy-controlled path.

For SaaS teams, the cleanest motion is to replace raw provider secrets in the backend and origin-lock browser traffic. That makes leaked front-end identifiers much less dangerous and gives the security team a visible boundary around outbound API usage.

champion
Security + platform engineering
fast pilot
One production API integration and one staging environment
why it wins
Removes .env exposure without a full secret-manager migration.
05 / what needs to feel real

Enterprise proof points should be visible before the first demo call.

The handoff bundle kept the promise surface compact and specific. These are the claims the page should communicate within the first scroll and defend in the second.

control

Origin and IP policy

Lock traffic by domain, route, provider, or IP range so a leaked identifier does not become a free pass.

governance

Audit trail and revoke

See who called what, when it failed, and how to shut it off without chasing raw keys across teams.

safety

Spend and abuse controls

Budget caps and route restrictions help stop runaway costs and misuse before they compound.

adoption

Rollout without SDK rewrite

The fastest path still wins: keep the provider SDK, change the env values, and pilot in an existing stack.

06 / pilot plan

A realistic 30-day rollout for the first shared workspace.

The buyer story should end with a pilot motion, not a vague contact form. This timeline keeps the enterprise page specific enough to be actionable.

Week 1

Pick one high-risk integration: AI provider, payment flow, or CI job that still depends on a plaintext secret.

Week 2

Route through VaultProof. Replace the provider secret with a project ID and apply origin or IP policy.

Week 3

Walk security through audit logs, alert paths, spend caps, and incident-response controls.

Week 4

Expand from one app into the next environment: browser, pipeline, or fleet gateway.

pilot motion

Bring one app, one provider, or one pipeline.

We will map the current plaintext secret path, route it through VaultProof, and show your team the policy and audit boundary in a live session.

best proof points

No raw provider key in runtime, no SDK rewrite, revocation in one place, and a path from web apps to CI/CD to connected systems.

demo outcome

A buyer should leave saying: this is not another vault, it changes what our apps and agents can actually touch.

request live demo open product demo