Hexclave
Hexclave
Go to Dashboard

A safe for the secrets your users hand you

Locked with your secret·We never see the plaintext·Two lines to store, two to read

Open dashboardRead the docs

Stash a token. Get it back. That's it.

One call to set, one to get·Your secret stays on your server·Lose it and even we can't read your data

ts
1// Tuck away a user's OAuth refresh token.
2const store = await stackServerApp.getDataVaultStore("oauth-tokens");
3 
4await store.setValue(`gh:${user.id}`, refreshToken, {
5  secret: process.env.STACK_DATA_VAULT_SECRET!,
6});

A safe that treats your secrets like secrets

No plaintext at rest·One vault per thing you store·Reachable only from your server

setValue · oauth-tokens
Sealing
Your serverStack Auth
Token
ghp_aT4r6XJk9PqWmZ2sLcV8eHnK1bF
Your secret · env
••••••••••••••••••••••••••••••••
Seal locally
Stored at rest
key
value
You called it
gh:noah
Locked with your secret before it leaves your server
Lose the secret and even we can't read it

01·Locked before it leaves you

We never see your users' secrets

  • Your secret stays on your server — we never receive it
  • Tokens are sealed locally before the network ever sees them
  • Lose your secret and the data is unrecoverable — even to us
Your secretSealed locallyZero-knowledge
Vault stores
Isolated
oauth-tokens
GitHub, Slack, Notion
1,248
getDataVaultStore("oauth-tokens")
→ key gh:noah
recovery-codes
2FA backup codes
612
api-keys
Per-user provider keys
304

02·One safe per thing

OAuth tokens, recovery codes, API keys — each in their own room

  • Make a store for each kind of secret — they can't see each other
  • Set up each store from the dashboard once
  • Same code shape for every store — different walls
Isolated storesPer-store keysDashboard-managed
getValue · server-only
Two callers
Browser · client component
No access to your secret
Your server · route handler
Has your secret · env var
One door in. Your server holds the key.
There is no client-side path — by design.

03·Server-only by design

There is no client-side path — on purpose

  • The safe opens only on your server, where your secret lives
  • No browser hook, no public endpoint — nothing to leak
  • Need data in the browser? Use it on the server and send only what's safe
Server-onlyNo client accessSafe by default

Ready to put your users' secrets behind a real safe?

Drop in a single app — or use the whole platform. Either way, you ship faster.

Get started for free

Explore other apps

View all
Teams

Team collaboration and management

Authentication

User sign-in and account management

Analytics

View and explore analytics data

API Keys

API key generation and management

Emails

Email template configuration and management

RBAC

Role-based access control and permissions