Is the SatisVault extension open source?

Not currently. However, we publish our security architecture transparently on this page. The extension runs entirely client-side in your browser, so you can verify network activity using Chrome DevTools at any time.

How do I revoke SatisVault access to my Azure account?

Open the Azure Portal, go to Azure Active Directory, then Enterprise Applications, find SatisVault, and click Remove. Your OAuth tokens are immediately invalidated and all local session data becomes useless.

How do I revoke SatisVault access to my AWS account?

Open the AWS Console, go to IAM, find the access key you used with SatisVault, and delete or deactivate it. SatisVault can no longer access your AWS Secrets Manager.

Does SatisVault collect analytics or telemetry inside the extension?

No. The extension contains zero analytics, zero telemetry, and zero third-party tracking SDKs. We only use analytics on our marketing website (satisvault.com), never inside the extension itself.

Security

Security at SatisVault

Your secrets never touch our servers. SatisVault runs entirely in your browser with a zero-knowledge architecture - we literally cannot see your data.

Zero-Knowledge Architecture

SatisVault is a browser-only tool. There is no backend, no relay server, and no middle layer between you and your cloud provider. When you fetch a secret, the request goes directly from your browser to Azure Key Vault or AWS Secrets Manager.

✓

Secrets never leave your browser

Secret values are fetched from your vault API and rendered locally. They are never forwarded, logged, or transmitted anywhere else.

✓

No external servers involved

SatisVault does not operate any server that handles your vault data. The extension talks directly to your cloud provider's API endpoints.

✓

No data stored outside your browser

Preferences, cached metadata, and session tokens are stored in Chrome's local storage. Nothing is synced to the cloud or sent to any third party.

✓

Fully client-side execution

Every line of code runs in your browser's extension sandbox. You can verify this yourself with Chrome DevTools - check the Network tab and see exactly what goes where.

Authentication

SatisVault never asks for your password. Instead, it delegates authentication entirely to your cloud provider using industry-standard protocols.

Azure Key Vault

• OAuth 2.0 with PKCE - the most secure OAuth flow available. PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks.
• Authentication happens on Microsoft's official login page (login.microsoftonline.com). SatisVault never sees your Microsoft password.
• Access tokens are stored locally in Chrome's storage and refresh automatically. They are never sent to SatisVault or any third party.
• Your existing Azure RBAC policies control what the extension can access. SatisVault cannot bypass your organization's access controls.

AWS Secrets Manager

• AWS IAM access keys are stored exclusively in Chrome's encrypted local storage. They never leave your browser.
• API requests go directly from your browser to secretsmanager.*.amazonaws.com. No proxy, no relay.
• You control access through AWS IAM policies. Use a scoped IAM user with only SecretsManager permissions for maximum safety.

Chrome Permissions Explained

Chrome extensions must declare every permission they need upfront. Here is exactly what SatisVault requests and why. No hidden permissions, no broad access.

storage

Save vault connections, URL tags, preferences, and cached metadata locally in your browser. This is Chrome's built-in extension storage API - data stays on your device.

identity

Required for the OAuth 2.0 authentication flow. This lets Chrome open your cloud provider's login page and securely return the authorization token to the extension.

activeTab

Allows SatisVault to autofill credentials on the page you are currently viewing. This only activates when you explicitly interact with the extension - it cannot read other tabs.

tabs

Detects the URL of the current tab to match it against your tagged secrets. This is how SatisVault knows when to show a badge notification that matching credentials are available.

https://*.vault.azure.net/*

Enables direct API calls from your browser to Azure Key Vault. Without this permission, the extension could not fetch your vault list or secret values. Traffic goes straight to Microsoft's servers.

https://secretsmanager.*.amazonaws.com/*

Enables direct API calls from your browser to AWS Secrets Manager. Requests go straight to AWS endpoints in your configured region. No intermediary servers are involved.

What We Don't Do

Trust is earned through transparency. Here is a concrete list of things SatisVault will never do inside the extension.

✗

No analytics inside the extension

Zero tracking pixels, zero analytics SDKs. We use analytics only on this marketing website, never inside the extension.

✗

No telemetry or usage tracking

We do not track which secrets you access, how often you use the extension, or any behavioral data.

✗

No third-party SDKs

The extension bundles no external libraries that phone home. No Sentry, no Mixpanel, no Amplitude, no Segment.

✗

No data leaves the browser

The only outbound traffic from the extension goes to your Azure or AWS vault endpoints. Nothing else.

✗

No server-side component

There is no SatisVault backend that processes your vault data. The extension is the entire product.

✗

Your credentials are never sent to us

We cannot see your OAuth tokens, AWS access keys, secret values, or any other credential. Physically impossible by architecture.

Verify it yourself: Open Chrome DevTools (F12), go to the Network tab, and use SatisVault normally. You will only see requests to *.vault.azure.net, *.amazonaws.com, and Microsoft/Google login endpoints. Nothing else.

Security FAQ

Common questions about SatisVault's security model

Is the extension open source?

Not currently. However, we publish our security architecture transparently on this page, and you can inspect every network request the extension makes using Chrome DevTools. The extension runs entirely client-side, so there is no hidden server logic to worry about.

How do I revoke access?

Azure

Open the Azure Portal → Azure Active Directory → Enterprise Applications → find SatisVault → click Remove. Your OAuth tokens are immediately invalidated.

AWS

Open the AWS Console → IAM → Users → find the access key you used with SatisVault → delete or deactivate it. SatisVault can no longer reach your AWS Secrets Manager.

What happens if I uninstall?

All local data is deleted immediately by Chrome. This includes cached vault metadata, session tokens, preferences, and URL tags. Nothing persists on your machine after uninstall. Your actual secrets remain safe in your Azure Key Vault or AWS Secrets Manager - SatisVault never stored them in the first place.

Can my IT team audit what the extension does?

Yes. Because SatisVault uses your existing Azure RBAC or AWS IAM policies, every secret access is logged in Azure Monitor or AWS CloudTrail respectively. Your security team can audit all activity through the tools they already use. The extension adds a convenient browser interface, but the underlying access control and audit trail remain exactly the same.

What data does the extension cache locally?

SatisVault caches vault names, secret names (not values), URL tags, and your extension preferences. Session tokens for Azure OAuth are also stored locally. Secret values are fetched on demand and not persisted. All cached data is automatically deleted when you uninstall the extension.

Ready to Try SatisVault?

Your secrets stay in your vault. Your credentials stay in your browser. Install from the Chrome Web Store and see for yourself.

Get Chrome Extension See All Features

Privacy Policy · Terms of Service · Pricing