Open-source credential broker for hardware-backed developer credentials.
Touch your key. Get credentials for everything.
Vouch issues short-lived SSH keys, AWS sessions, GitHub tokens, and Kubernetes configs — all backed by FIDO2 hardware verification. Instead of managing long-lived secrets scattered across tools, developers authenticate once with a YubiKey tap and receive scoped, temporary credentials that work natively with existing tools.
- Short-lived credentials — SSH certificates, AWS STS sessions, GitHub tokens, Kubernetes configs, Docker registries, Cargo registries
- Hardware presence verification — FIDO2/YubiKey tap for every credential issuance, phishing-resistant by design
- Native tool integration — Works with git, ssh, aws, kubectl, and docker without wrappers or custom CLIs
- Agent credential delegation — Scoped, auditable credentials for AI agents with instant revocation
- OpenID Certified — Standards-compliant OIDC provider
| Repository | Description |
|---|---|
| vouch | Monorepo: CLI, Agent, Server, and shared libraries |
| examples | Integration examples |
| homebrew-tap | Homebrew formula for macOS installation |
| packages | Package distribution |
- All crates — Apache-2.0 OR MIT
- Documentation — CC-BY-4.0