Skip to content
VaultTerm
Browse docs

Get Started

Credential Vault

Terminal & SSH

Teams & Organizations

Browser Extension

Privacy-First AI

Self-Hosting

Administration

Configuration Reference

Security & Architecture

API & Integrations

Troubleshooting & FAQ

browser-extension

Install and unlock the extension

Install from the browser store, sign in, register the device, and set a device-bound biometric / WebAuthn unlock backed by rotating refresh tokens with reuse detection.

Updated Jun 23, 2026

Setting up the extension takes four steps: install it from your browser’s store, sign in, register the device, and set a device-bound unlock. After that, day-to-day use is a quick biometric prompt rather than a password.

Install and sign in

  1. Install from the browser store. Add the VaultTerm extension from the Chrome Web Store, the Edge Add-ons store, or Firefox Add-ons, depending on your browser.
  2. Sign in. Open the popup and authenticate with your VaultTerm account.
  3. Register the device. The extension registers this browser as a device on your account. This device is now individually listed and can be revoked on its own — see Settings and security dashboard.
  4. Set a device-bound unlock. Enrol a biometric / WebAuthn resident key so the vault opens with a local credential instead of re-entering your password each time.

The device session

The extension does not keep a long-lived password or a standing copy of the vault. It holds a device session built on rotating refresh tokens:

  • Refresh tokens rotate. Each time the session refreshes, the old refresh token is retired and a new one is issued. A token is single-use for rotation.
  • Reuse is detected. If a refresh token that has already been rotated (or revoked) is presented again, the broker treats it as reuse and refuses it. A stolen token on its own does not open the vault, and replaying an old one is caught rather than honoured.
  • Spending refresh is gated. The extension only spends a refresh token after the device-bound unlock check passes, so an attacker with the browser profile still has to clear the biometric gate.

How biometric unlock works

The biometric unlock is a local key signing a challenge — it is not a password sent to the server:

  1. At enrolment, the device generates a key pair and registers the public key with the broker. The private key stays on the device, protected by the platform authenticator (Touch ID, Windows Hello, a security key, or the platform passkey store).
  2. To unlock, the broker issues a challenge. The local key signs it, and the signature is verified against the registered public key.
  3. Only after that verification succeeds does the extension proceed to refresh the device session and open the vault.

Because the private key never leaves the device and the server only ever holds the public key, the unlock cannot be replayed from captured network traffic, and the secret material to unlock is bound to hardware you hold.

Where to go next

All docs · Ask a question