Skip to main content

Credentials Vault

The Credentials Vault is a secure place to store the passwords, API keys, database credentials, certificates, and other secrets your team relies on. Every sensitive value is encrypted before it's stored.

B
Written by Baltej Singh

What it does

The Credentials Vault is a secure place to store the passwords, API keys, database credentials, certificates, and other secrets your team relies on. Every sensitive value is encrypted before it's stored, so only people you've granted access can see them.

Who can use it

  • Anyone in your organization with read access to the Credentials module. Storing a new credential needs create rights; editing needs write rights. Roles are managed by your Super Admin.

  • The Credentials Vault must be enabled for your organization, otherwise you'll see a "Feature disabled" message with a request-access option.

  • Your organization may have a monthly limit on how many credentials you can add. When the limit is reached, the New credential button is disabled.

How to get here

From the sidebar, open Profile & Company and click Credentials Vault.

What you'll see

  • A left sidebar with a search box, credential Types (Password, API Key, Database, etc.), and Folders.

  • The main area shows your credentials. Toggle between List and Cards view at the top.

  • A vault status badge confirms encryption is on (VAULT · AES-256 · UNLOCKED).

  • Top-right action buttons: Refresh, New credential, and Folders.

Step-by-step: store a new credential

  1. Click New credential in the top-right. The Add New Credential dialog opens.

  2. Fill in the Basic Information:

    • Name (required) — a short label, like "AWS console login" or "Stripe API key".

    • Description — optional notes for your future self or your team.

    • Folder — optional, to group with related credentials.

    • Shared Access — pick teammates who should be able to see this credential. Owners always have access.

  3. Pick a Type (required). Each type asks for different fields:

    • Password — Website URL, Username, Password.

    • Database Credentials — Hostname, Port, Database Name, Username, Password.

    • Certificate — Certificate content.

    • SSH Key — SSH key content.

    • Client ID / Secret — Client ID and Client Secret.

    • API Key — the key value.

    • Token — the token value.

    • Other — a free-form value field for anything that doesn't fit the categories above.

  4. Required fields are marked with a red asterisk. For passwords, a strength meter shows how strong your password is as you type.

  5. Click Create Credential. Nautis encrypts and stores the values, then closes the dialog.

Step-by-step: view a credential

  1. Click any credential in the list. Its detail panel opens.

  2. Secret fields are hidden by default — click the eye icon next to a value to reveal it. Click the copy icon to copy it to your clipboard.

  3. Reveals auto-hide again after a short period so a secret isn't left visible on your screen.

Step-by-step: edit a credential

  1. Open the credential's detail panel.

  2. Click the edit (pencil) action. The form opens pre-filled with your saved values.

  3. Update what you need, then save. You'll see a confirmation toast.

Step-by-step: organize with folders

  1. Click Folders in the top bar (or the + button next to the Folders heading in the left sidebar).

  2. Create, rename, recolour, or delete folders.

  3. Assign a credential to a folder by editing it and picking from the Folder dropdown.

  4. Use the folder list in the sidebar to filter to All folders, Unfoldered, or a specific folder.

Step-by-step: share with your team

  1. Open the credential for editing.

  2. Under Shared Access, choose the teammates who should be able to see and use this credential.

  3. Save. Anyone not on the list (and without an owner-level role) won't be able to see it in their vault.

Step-by-step: delete a credential

  1. Open the credential's detail panel.

  2. Click the delete action. Nautis shows a Delete Credential confirmation dialog because the action can't be undone.

  3. Confirm. The credential and its encrypted values are removed.

Tips & limits

  • Every credential value is encrypted at rest using AES-256 — even Nautis staff can't read it without your access. The plain text is only decrypted when you reveal it in the UI.

  • Use folders to separate environments (production, staging) or systems (AWS, Stripe, internal databases). It makes audits and onboarding easier.

  • The password strength meter is for your own reference — Nautis won't reject a weak password, but using a strong one is always a good idea.

  • Search in the sidebar matches credential names and descriptions only, not secret values (those stay encrypted).

FAQ

Who can see my credentials?

Only you (the owner) and the teammates you've explicitly added under Shared Access. Members of your org without that share won't see the credential at all.

Can Nautis support staff read my passwords?

No. Secret values are encrypted before they leave your browser-side request. They're decrypted only when an authorised user opens them in the UI.

What happens to shared credentials when a teammate leaves?

When their account is removed from your organization, they lose access automatically. You may want to rotate the underlying secret as a precaution.

Can I export my credentials?

Not directly — exporting bulk secrets in plain text would defeat the point of an encrypted vault. Copy individual values when you need them.

What's the difference between Client ID / Secret, API Key, and Token?

They're all secrets, but each has its own form so the right labels show up. Pick the one that matches what your service calls it; if in doubt, use Other.

Can I recover a deleted credential?

No. Delete is permanent — that's why Nautis asks you to confirm.

Related Articles
Contacts
Did this answer your question?