Vault Access Control

Who can access vault secrets?

Access to vault secrets depends on two factors: the member's role and the secret's scope. These two dimensions combine to determine exactly what each person can do.

How do roles affect vault access?

The table below shows vault permissions by role for team-scoped secrets:

Members cannot see, create, or modify team-scoped secrets. They can only interact with their own private secrets.

How do scopes affect vault access?

• Team-scoped secrets are visible to Owners and Admins. All team Claws can use them at runtime, but Members cannot see the entry list or modify values through the settings panel.
• Private secrets are visible only to the member who created them. Only that member's personal Claws can use them. No one else on the team — not even the Owner — can see or modify private secrets.

For a deeper explanation of scopes, see Vault Scopes.

Can Claws access secrets across scopes?

A team Claw can access team-scoped secrets but not any member's private secrets. A personal Claw can access both the owning member's private secrets and any team-scoped secrets (since team secrets are shared across all Claws on the team).

What happens when a member is removed?

When a member is removed from the team:

• Their private secrets remain attached to their account and leave with them.
• Any team-scoped secrets they created stay with the team and remain accessible to other Owners and Admins.
• If the removed member's personal Claws referenced team-scoped secrets, those Claws lose access immediately.

How do I audit vault access?

Navigate to Settings > Vault > Activity Log to see a timestamped record of who created, edited, or deleted each secret. The log does not reveal secret values — it only records metadata (entry name, action, actor, timestamp). This helps you track changes and identify unauthorized modifications.