Vault backends
Vault backends store the provider API keys (OpenAI, Anthropic, etc.) server-side. OEM partners usually have an existing vault; TapPass supports pluggable backends so they don’t need to migrate.
Shipped
Section titled “Shipped”| Backend | Status | Source |
|---|---|---|
| Postgres (default, encrypted-at-rest) | Production | tappass/tappass/vault/providers/postgres.py |
| File-backed (dev/staging only) | Production | tappass/tappass/vault/providers/file.py |
Planned / stub
Section titled “Planned / stub”| Backend | Status | Notes |
|---|---|---|
| HashiCorp Vault | Terraform module exists, runtime adapter TBD | Common OEM ask |
| AWS Secrets Manager | Planned | Most requested by US customers |
| Azure Key Vault | Planned | Often asked alongside Azure OpenAI |
| GCP Secret Manager | We use this ourselves; runtime adapter can be generalised | Fastest to ship |
| CyberArk Conjur | Terraform + k8s manifests exist | Bank customers ask for it |
See public docs integrations overview for the customer-facing version.
Protocol
Section titled “Protocol”Every backend implements VaultProvider (see tappass/tappass/vault/protocol.py):
class VaultProvider(Protocol): async def get(self, key: str) -> SecretValue | None: ... async def set(self, key: str, value: SecretValue) -> None: ... async def delete(self, key: str) -> None: ... async def list_prefix(self, prefix: str) -> list[str]: ...Add a new backend by dropping a module under tappass/vault/providers/<name>.py and registering it in the backend factory.
Choosing for an OEM deal
Section titled “Choosing for an OEM deal”| Customer profile | Recommend |
|---|---|
| Already on HashiCorp Vault (Enterprise) | HashiCorp adapter |
| AWS-native, security team runs Secrets Manager | AWS adapter |
| Azure-native | Azure Key Vault adapter |
| Bank with Conjur | Conjur adapter |
| No strong preference | Postgres (default) |
Always ask: “where do your provider keys currently live?” and pick the backend that matches. Migration is a PITA.
Timing
Section titled “Timing”Adding a new vault backend for a specific OEM: 2-4 weeks depending on auth complexity (static token vs OAuth vs mTLS vs cloud IAM). Budget accordingly when quoting the deal.