Skip to content
VaultTerm
Browse docs

Get Started

Credential Vault

Terminal & SSH

Teams & Organizations

Browser Extension

Privacy-First AI

Self-Hosting

Administration

Configuration Reference

Security & Architecture

API & Integrations

Troubleshooting & FAQ

browser-extension

Browser extension overview

A browser password manager for Chrome, Edge and Firefox that keeps nothing sensitive in the browser — secrets stay on the broker and are fetched per use.

Updated Jun 23, 2026

The VaultTerm browser extension is a password manager for Chrome, Edge (Chromium) and Firefox. It matches saved logins to the sites you visit, fills them, captures new logins as you create them, and generates one-time codes — all while keeping nothing sensitive in the browser itself. Secrets live on the broker and are fetched per use; the device unlock is bound to the device, not stored in the extension.

Nothing sensitive lives in the browser

The extension is a thin client over the same audited broker the rest of VaultTerm uses. It does not hold a decrypted copy of your vault:

  • Secrets stay on the broker. A credential is fetched only at the moment it is used to fill a field, and is not persisted in the extension after that.
  • Unlock is device-bound. The vault opens behind a device-bound unlock (a biometric / WebAuthn resident key), so possession of the browser profile alone is not enough — see Install and unlock.
  • Every fetch is audited. Because secrets come from the broker, each access lands on the same tamper-evident audit trail as every other read — see Audit logs.

This matches VaultTerm’s overall posture: an audited access broker, not zero-knowledge. The extension benefits from envelope encryption and no-plaintext-at-rest the same way the web app does.

What it does

  • On-site match detection and autofill. The extension detects login forms on the current page, finds the credentials that match the site, and fills them on request.
  • Capture new logins on submit. When you sign in or create an account, the extension can detect the submitted credentials and offer to save them to the vault.
  • Built-in TOTP authenticator. Time-based one-time codes (RFC 6238) are generated in the extension for accounts that have a TOTP seed stored, so you do not need a separate authenticator app — see Secret types.
  • Phishing / look-alike-domain guard. A deterministic check flags homograph, punycode, typosquat, TLD-swap and brand-embedding domains before you hand over a credential. The classification runs locally and needs no network egress.

Permissions model

The extension requests optional host permissions rather than install-time permissions. It ships with no broad site access; when a feature needs to read or fill a page, you grant access in the popup, and the extension registers its content scripts dynamically at that point. This keeps the default permission footprint small and makes store review fast. Site access can be granted broadly or per site, and features resume immediately after a grant.

Where to go next

All docs · Ask a question