Operations Suite · 03 / Credentials

Your credentials never touch our database.

Every API key, token, and password Suriq needs lives in a vault you control - OpenBao, HashiCorp Vault, Infisical, or Akeyless. The console can write a secret but never read it back. Only the job that needs it, at the moment it runs, can.

Vault providersMulti-provider

Two identitiesWrite-only · read-only

Bring your ownPer team

Default vaultManaged OpenBao

The Secrets Vault screen showing vault status, total secrets, the connected platform vault provider, and an option to connect your own vault. — Click a shot to expand

The connect-private-vault screen listing OpenBao, HashiCorp Vault, Infisical, and Akeyless, with a quick-setup auto-configure form. — Click a shot to expand

What you get

Keys you hand over once, that we can never read.

Secrets live in a vault, not our database

Every credential sits in the vault. The database, the job logs, and the backups only ever hold a reference to it - never the value itself.

The console can't read them back

One identity writes and deletes secrets. A separate, read-only identity reads them at execution. Neither can do the other's job - so a compromise on one side cannot pull your keys.

Bring the vault you already trust

OpenBao, HashiCorp Vault, Infisical, or Akeyless - per team, with isolated paths. Or start on the platform's default OpenBao. Same console either way.

Proven before it stores a thing

On setup, Suriq writes a throwaway probe secret, reads it back, and deletes it. If the permissions are wrong, it fails loudly - before a single real credential is saved.

Rotate without a redeploy

Change a credential in the vault and Suriq picks up the new value on the next job. No schema change, no restart, no redeploy.

Move vaults without re-entering a thing

Switch from one vault provider to another and Suriq migrates your secrets across for you, path for path.

How a credential flows

From the moment you paste it to the moment it's used.

You save it

You paste a key into the console. Its write identity stores it at a team-scoped path in the vault. The database keeps only the reference.

The job carries a reference

When a job is created, its record holds the entity ID and the vault path - never the credential value.

Resolved at run time

The read-only identity fetches the secret at execution, uses it for the one provider call, and holds it in memory only, briefly.

Logged in your vault

Your vault records the read in its own audit trail - an independent record of who reached what, kept on a system you control.

Vault providers

Bring the vault you already trust.

Every connector follows the same write-only and read-only contract, so the security posture is identical whichever you pick.

OpenBao

Default

HashiCorp Vault

Infisical

Akeyless

Suggest a vault

Every team starts on the platform's default OpenBao - autopilot configures the engine, policies, and paths for you. Connect your own vault per team whenever you prefer; the console works the same either way.

Take your credentials out of the database.

Vault integration ships with Suriq. Connect the vault your security team already approved, or stand up OpenBao with autopilot in minutes.

Request access See the full platform