Zero-trust credentials for an autonomous workforce.
Vault is the secrets layer purpose-built for agents. Per-workflow scopes, ephemeral session injection, MFA orchestration, BYOK encryption. Your agents never see a password — and you can prove it.
Four pillars. Zero magic.
Ephemeral injection
Credentials are injected into the browser session at the keystroke layer and wiped immediately. Never resident in agent memory, logs, or screenshots.
Scoped grants
Per-workflow, per-portal, per-time-window grants. Two-person approval for production secrets. Auto-rotation on schedule or anomaly.
MFA orchestration
TOTP, WebAuthn, push approvals, and SMS fallback handled by Vault — including human-in-the-loop approval when policy requires.
Bring your own keys
BYOK via AWS KMS, GCP KMS, Azure Key Vault, or HashiCorp Vault. Customer-managed root-of-trust with audit-grade key usage logs.
Engineered to ship, not to demo.
| Identity | SSO via WorkOS (Okta, Azure AD, Google, OIDC, SAML). SCIM provisioning. |
|---|---|
| Sessions | Cookie jars, OAuth tokens, refresh flows. Auto re-auth with policy gates. |
| Compliance | HIPAA, PCI DSS scope minimization, GDPR data-residency pinning. |
| Integrations | 1Password, Bitwarden, AWS Secrets Manager, GCP Secret Manager, Vault. |
Built for the verticals regulators inspect.
Healthcare
Per-payer credentials with PHI-aware policies and BAA-ready logs.
Finance
PCI-scoped portals with maker-checker on credential issuance.
Multi-tenant ops
Isolated credential vaults per end-customer for BPOs migrating to Klerix.
Public sector
Region-pinned keys; FedRAMP-aligned access workflows.
Vault is one of five.
Klerix ships as a tightly integrated suite. Each product is useful alone — together, they replace the offshore back office.
See Vault run on a workflow from your stack.
A 60-day pilot on a single workflow. Hard SLOs. No procurement gymnastics.