Prove you're here.
Hardware-backed authentication that issues short-lived credentials only after a human touches a YubiKey. One touch, one PIN, one 8-hour session — then SSH, AWS, Kubernetes, and more just work.
$ vouch login
🔑 Touch your YubiKey...
Enter PIN: ****
✓ Authenticated as you@company.com
✓ Session valid for 8 hours
$ ssh prod.example.com # Just works
$ aws s3 ls # Just works
$ kubectl get pods # Just works
$ git push origin main # Just worksModern authentication is broken in three ways:
-
Push notification fatigue — Duo pings you 47 times a day. Users approve reflexively. MFA fatigue attacks succeed because humans are tired.
-
Credential sprawl — Long-lived API keys in
~/.aws/credentials. GitHub PATs that never expire. SSH keys from 2019 still floating around. -
No presence verification — Existing tools verify devices or sessions, but not that a human is actually there. A compromised laptop with cached credentials is indistinguishable from its owner.
Vouch requires physical presence for every credential issuance:
| Traditional Auth | Vouch |
|---|---|
| Password + SMS/Push | YubiKey touch + PIN |
| Long-lived API keys | 8-hour certificates |
| "Remember this device" | Per-session attestation |
| Optional hardware MFA | Mandatory hardware MFA |
| Device trust | Human presence proof |
┌────────────────────────────────────────────────────────────────────┐
│ Your Machine │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────────────────────┐ │
│ │ YubiKey │────▶│ vouch │────▶│ Short-lived credentials │ │
│ │ (touch) │ │ login │ │ managed by vouch agent │ │
│ └──────────┘ └──────────┘ └──────────────────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌──────────┐ ┌──────────────┐ │
│ │ vouch │ │ Native tools │ │
│ │ server │ │ (ssh, aws, …)│ │
│ │ (OIDC) │ │ │ │
│ └──────────┘ └──────────────┘ │
└────────────────────────────────────────────────────────────────────┘
vouch login— Touch YubiKey, enter PIN, get 8-hour session- Vouch issues credentials — SSH certificates, AWS STS tokens, Kubernetes tokens, and more
- Tools just work — Standard credential helpers, no wrappers needed
Unlike optional MFA that can be bypassed, Vouch only issues credentials after FIDO2 verification. The credential itself carries proof of presence.
- SSH certificates: 8 hours
- AWS credentials: 1 hour (auto-refresh within session)
- Kubernetes, Docker, RDS, Redshift, CodeArtifact, and more — see Integrations
No more rotating keys. No more revoking access. Credentials simply expire.
Vouch configures standard credential providers:
- SSH:
IdentityAgentpointing to vouch's signing agent - AWS:
credential_processin~/.aws/config - Plus: Kubernetes, Docker, Git, Cargo, and more — see Integrations
After vouch login, existing workflows are unchanged.
# macOS
brew install vouch-sh/tap/vouch
# Linux (Debian/Ubuntu)
# See https://packages.vouch.sh for repository setup
sudo apt install vouch
# Linux (RPM-based)
# See https://packages.vouch.sh for repository setup
sudo dnf install vouch
# From source (requires Rust 1.95+)
cargo install --git https://github.com/vouch-sh/vouch vouch-cliNote
Vouch is not published to crates.io. Install from the Git repository or use a package manager.
# Enroll with your YubiKey (one-time, opens browser)
vouch enroll
# Configure integrations
vouch setup ssh # SSH certificates
vouch setup aws --role arn:aws:iam::ID:role/name # AWS credential_process
vouch setup eks --cluster my-cluster # kubectl for EKS via IAM
vouch setup k8s --cluster my-cluster --server URL # kubectl via OIDC
vouch setup github --configure # Git credential helper for GitHub
vouch setup docker --configure ghcr.io # Docker registry auth
vouch setup cargo --configure # Cargo registry auth
vouch setup codecommit --configure # AWS CodeCommit Git credentials
vouch setup ssm # SSH via AWS Systems Manager
vouch setup codeartifact --tool pip --repository R # Private package registry
# See all integrations: https://vouch.sh/docs/Tip
Run vouch doctor at any time to check your YubiKey, agent, and configuration status.
Important
The vouch-agent daemon must be running for credential operations. It starts automatically on vouch login and manages your session.
# Start your day
vouch login
# Everything just works for 8 hours
ssh prod-server
aws s3 ls
kubectl get pods
docker pull ghcr.io/your-org/image
git clone https://github.com/your-org/private-repo.git
# Check session status
vouch statusFor scripts and CI/CD pipelines, inject credentials into subprocesses:
# Run a command with AWS credentials in the environment
vouch exec --type aws --role arn:aws:iam::ID:role/name -- terraform plan
# Export credentials for the current shell
eval "$(vouch env --type aws --role arn:aws:iam::ID:role/name)"
# Available types: aws, github, codeartifact, rds, redshift# Bash (requires the bash-completion package)
vouch completions bash > ~/.local/share/bash-completion/completions/vouch
# Zsh
vouch completions zsh > "${fpath[1]}/_vouch"
# Fish
vouch completions fish > ~/.config/fish/completions/vouch.fishAdd session status to your shell prompt (sets VOUCH_AUTHENTICATED, VOUCH_EMAIL, and VOUCH_EXPIRES_IN):
# Bash (add to ~/.bashrc)
eval "$(vouch init bash)"
# Zsh (add to ~/.zshrc)
eval "$(vouch init zsh)"
# Fish (add to ~/.config/fish/config.fish)
vouch init fish | source| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General error |
| 2 | Not authenticated (session expired or missing) |
| 3 | Hardware key not detected |
| 4 | Network or server unreachable |
| 5 | Permission denied |
| 6 | Configuration error |
| 7 | Step-up authentication required |
| 8 | Rate limited |
- YubiKey 5 series (firmware 5.2+) with FIDO2/WebAuthn support
- macOS 12+ or Linux (glibc 2.31+) — Windows support is planned
- For SSH: CA public key distributed to target hosts
- For AWS: IAM role with OIDC federation configured
- For EKS: Cluster with Access Entries configured for IAM role
- For Kubernetes: API server with OIDC configured — see Operator Guide
- For GitHub: Organization admin connects the Vouch GitHub App
Server deployment: Docker (distroless), systemd, or Kubernetes (Helm). See Operator Guide.
Vouch consists of:
| Component | Description |
|---|---|
vouch CLI |
User-facing commands, credential helpers |
vouch-agent |
Background daemon, session management |
vouch-common |
Shared types, FIDO2 helpers, API client |
vouch-server |
OIDC provider, certificate authority |
vouch-httpsig |
HTTP Message Signatures (RFC 9421) |
vouch-tests |
Integration and property-based tests |
All components are Apache-2.0 OR MIT licensed.
Vouch is designed for high-security environments:
- Memory-safe implementation — Written in Rust
- No credential storage — Vouch never sees your private keys
- Cryptographic presence attestation — FIDO2 with user verification
- Short-lived credentials — Minimize blast radius of compromise
- Audit trail — Every credential issuance logged with attestation
See the Security Model for our security philosophy and the Threat Model for STRIDE analysis.
To report a security vulnerability, email security@vouch.sh. Do not open public issues for security concerns.
- User Guide: vouch.sh — Getting started, integrations, daily use
- Operator Guide: docs.vouch.sh — Server deployment, configuration, administration
Key sections:
- Getting Started — Installation and first enrollment
- Integrations — SSH, AWS, EKS, Kubernetes, GitHub, Docker, and more
- Server Deployment — Deploy and configure the Vouch server
- Architecture — System design and data flows
- Security Model — Security controls and incident response
- Threat Model — STRIDE analysis and mitigations
# Build and serve docs locally
make docs-serveWe welcome contributions! See CONTRIBUTING.md for guidelines.
We believe security tools should be auditable.
- All crates: Apache-2.0 OR MIT
- Documentation: CC-BY-4.0
Vouch — Prove you're here.