credential-vault
Secret types
Reference for every secret type the VaultTerm vault supports — each with a purpose-built form rather than a generic note field.
Updated Jun 23, 2026
VaultTerm is typed. Rather than store everything as free-form text, the vault models each kind of secret with a dedicated type, and each type gets a purpose-built form with the right fields — not a single generic note field. This keeps records structured, lets features like rotation and exposure detection understand what a secret is, and keeps the experience honest about what each record holds.
Supported types
| Type | Description | Example fields |
|---|---|---|
| PASSWORD | A login credential for a site or service | username, url, password, notes, custom fields |
| API_KEY | A key or token for a service or API | key value, label, associated service, notes |
| SSH_KEY | An SSH private key used by the broker to connect | private key (Ed25519, RSA or ECDSA), passphrase, public key |
| ENV_VAR | An environment variable or value injected into a session | name, value |
| SECURE_NOTE | Free-form encrypted text for anything without its own type | title, body |
| TOTP | A time-based one-time-password seed with a built-in authenticator | otpauth seed/URI, issuer, account |
| PAYMENT_CARD | A stored payment card | cardholder, card number, expiry, CVV, notes |
| IDENTITY | Personal identity details kept in the vault | name, address, contact and document fields |
| PASSKEY | A WebAuthn passkey credential | relying party, credential, user handle |
Notes on specific types
SSH_KEY
An SSH key stores the private key in one of the common algorithms — Ed25519, RSA or ECDSA — with an optional passphrase. These keys are what the SSH broker uses to connect to hosts, so the private key never has to live on the connecting laptop.
TOTP
A TOTP record holds the otpauth seed and acts as a built-in authenticator: VaultTerm generates
the current one-time code from the stored seed, so you do not need a separate authenticator app to log
in to a service whose second factor lives in the vault.
PASSKEY
A passkey record stores a WebAuthn credential, letting the vault hold passwordless credentials alongside traditional secrets.
Why typed records matter
- Structured fields. A password’s URL, a card’s expiry, an SSH key’s algorithm are stored as distinct fields, not buried in a note.
- Feature awareness. Credential health and rotation can reason about a record because they know its type.
- Cleaner forms. Each type’s form shows only the fields that make sense for it.
Where to go next
- Pick the right vault and roles in Vault overview.
- Share and rotate typed secrets in Sharing and rotation.
- Bring existing records in via Importing secrets.