Open-source credential broker that issues short-lived SSH, AWS, GitHub, and Kubernetes credentials after FIDO2 hardware verification. One YubiKey tap, 8 hours of access.
Live site: vouch.sh
Vouch replaces long-lived secrets (SSH keys, AWS access keys, GitHub tokens, Docker credentials) with short-lived, cryptographically attested credentials. No credential is ever issued without proof of human presence via a FIDO2/WebAuthn security key.
After a single vouch login, credential helpers for SSH, AWS, GitHub, EKS, Docker, Cargo, CodeArtifact, and CodeCommit provide tokens on demand — transparently and without any long-lived secrets on disk.
This repository contains the Hugo source for the vouch.sh product site, documentation, and blog.
Prerequisites: Hugo v0.142.0 extended
Start a local dev server with live reload:
hugo serverVisit http://localhost:1313.
Build for production:
hugo --gc --minifyOutput goes to public/.
content/
docs/ 30+ documentation pages (AWS, SSH, EKS, GitHub, Docker, etc.)
docs/applications/ 24 OIDC integration guides (Rails, Next.js, FastAPI, Flutter, etc.)
blog/ Blog posts
layouts/ Hugo Go templates and partials
assets/css/ Hand-written CSS (no build tools, no npm)
static/ Static files copied to output (CNAME, images, robots.txt)
Pushing to main triggers a GitHub Actions workflow that builds the site with Hugo and force-pushes to the gh-pages branch, which serves vouch.sh via GitHub Pages.
Apache-2.0 / MIT dual license. See the main Vouch repository for source code.