AES-256-GCM Encryption  ·  Zero Egress Fees  ·  ERP-Native

The Vault
Your Business Has Been Waiting For

Secure file storage built for developers and ERP teams. Zero-knowledge encryption, Cloudflare R2 infrastructure, and a clean API that speaks your language.

Start Building Free View API Docs
256-bit
AES-GCM Encryption
0¢
Egress Fees
4-key
ERP Identity Model
<100ms
API Response Time
POST /api/v1/files/upload AES-256-GCM encryption GET /api/v1/erp/provision sodium_crypto_pwhash() X-API-Key: svt_•••••••• Cloudflare R2 zero egress JWT HS256 · 900s TTL org_id · emp_id · app_id · docu_id 302 Signed URL Redirect POST /api/v1/files/upload AES-256-GCM encryption GET /api/v1/erp/provision sodium_crypto_pwhash() X-API-Key: svt_•••••••• Cloudflare R2 zero egress JWT HS256 · 900s TTL org_id · emp_id · app_id · docu_id 302 Signed URL Redirect
What We Do

Built for files
that matter.

01
Zero-Knowledge Encryption
Your vault password never touches our servers. AES-256-GCM encryption with Argon2id key derivation means only you can decrypt your files — ever.
02
Cloudflare R2 Infrastructure
Files stored on Cloudflare's global R2 network. Zero egress fees — ever. 60-second signed URLs for secure delivery. No surprise bandwidth bills.
03
Developer-First API
Clean RESTful endpoints. JWT + API key auth. JSON responses. Rate limit headers on every response. Upload, list, download, share — all in minutes.
04
ERP-Native Identity
Provision and manage files using your existing ERP identity: org_id, emp_id, app_id, docu_id. No new user accounts. Your data model, respected.
05
Controlled Sharing
Share links with expiry, password protection, and max-use limits. Grant access to one file, for one hour, to one person. Granularity is a right, not a premium.
06
Complete Audit Trail
Every upload, download, share, and deletion logged with timestamp, IP, and user agent. Compliance-ready from day one. Exportable on demand.
How it works

Three calls.
Everything secured.

01
Authenticate
Register an account or provision one via ERP identity. Receive a JWT access token (15 min) and an httpOnly refresh token (30 days). Or generate an API key for server-to-server integration.
02
Upload
POST your file to /api/v1/files/upload. We validate the magic bytes (not just extension), check your quota, stream directly to R2, and return full metadata — all in one request.
03
Access
GET /api/v1/files/:id/download returns a 302 to a 60-second signed R2 URL. Premium users get proxied decryption. Standard users get blazing-fast redirects. Both get zero egress fees.
secvault_demo.php
// 1. Authenticate
$response = Http::post('https://api.secvault.app
/api/v1/auth/login', [
'email' => 'you@company.com',
'password' => $password,
]);
$token = $response['data']['access_token'];
// 2. Upload a file
$file = Http::withToken($token)
->attach('file', fopen($path, 'r'))
->post('.../files/upload');
// 3. Share it — expires in 24h
$share = Http::withToken($token)
->post(".../files/{$file['id']}/share", [
'expires_in_hours' => 24,
'max_uses' => 5,
]);
// ✓ $share['data']['share_url']
See it in action

4 calls. Fully secured.

From zero to encrypted file sharing in minutes — no infrastructure to manage, no surprises.

STEP 01
Authenticate
One POST to /auth/login returns a short-lived JWT. Use it for all subsequent calls — or swap it for a persistent API key.
POST /api/v1/auth/login
email: you@company.com
──────────────────────
✓ 200 access_token: eyJ...
STEP 02
Upload a File
Multipart POST with your bearer token. Magic-byte validation, quota check, and encrypted R2 write happen server-side in a single round-trip.
POST /api/v1/files/upload
file: invoice_q3.pdf
──────────────────────
✓ 201 id: f_9kXm...
STEP 03
Access / Download
A GET to /files/:id/download returns a 302 redirect to a 60-second signed Cloudflare R2 URL. Zero egress fees on every delivery.
GET /api/v1/files/f_9kXm/download
──────────────────────
✓ 302 Location:
r2.cloudflarestorage.com/...
STEP 04
Share It
Create a share link with a TTL, optional password, and max-use cap. Revoke instantly. Entire sharing model available on all paid plans.
POST /api/v1/files/f_9kXm/share
expires_in_hours: 24 · max_uses: 5
──────────────────────
✓ 201 share_url: sv.app/s/...
Auth
Upload
Access
Share
0x4A
GCM
256
IV
TAG
ARGON2
Security Architecture

Paranoid
by design.

AES-256-GCM + Auth Tag
Industry-standard authenticated encryption. Ciphertext includes a 128-bit GCM tag — tampered files are detected and rejected before any bytes are read.
Argon2id Key Derivation
Your vault password is never stored. We use sodium's Argon2id (memory-hard) to derive a 256-bit key per session. GPU brute force is economically infeasible.
We Cannot Decrypt Your Files
The derived key lives only in memory during your session. It's zeroed with sodium_memzero() immediately after use. Not in logs, not in the database. Not anywhere.
SHA-256 Integrity Verification
Plaintext checksum stored at upload. Verified after decryption. If a single byte changed in transit or storage, the download is rejected with INTEGRITY_FAILED.
Pricing

Honest pricing.
No traps.

Free
$0
/ month · forever
  • 5 GB storage
  • Up to 10 MB per file
  • JWT + API key auth
  • Share links
  • Audit log
  • AES-256 encryption
  • ERP integration
Get Started
Most Popular
Standard
$19
/ month · billed annually
  • 20 GB storage
  • Up to 20 MB per file
  • JWT + API key auth
  • Share links + passwords
  • Full audit trail
  • ERP provisioning API
  • AES-256 vault encryption
Start Standard
Premium
$49
/ month · billed annually
  • 20 GB storage
  • Up to 20 MB per file
  • Everything in Standard
  • AES-256-GCM encryption
  • Zero-knowledge vault
  • Proxied decryption
  • Password change re-encryption
Go Premium
ERP Integration

Your identity.
Our vault.

SecVault speaks your ERP's language. No new user management, no identity migration. Simply pass your existing keys — we provision, store, and secure files in the right context automatically.

org_id
Organisation
Your company or tenant identifier. Scoped API keys enforce org boundaries at the infrastructure level.
emp_id
Employee
Each ERP user gets a provisioned SecVault account on first API call. Idempotent. No duplicate accounts.
app_id
Application
Filter files by the ERP module they belong to. HR, Finance, Procurement — isolated by design.
docu_id
Document
Map any file directly to its source ERP record. Pull all attachments for a purchase order in one query.
erp_integration.php
// Provision ERP user on first touch
Http::withKey($apiKey)
->post('.../erp/provision', [
'erp_org_id' => 5,
'erp_emp_id' => 1042,
'email' => 'jane@acme.com',
]);
// Upload attached to PO #8821
Http::attach('file', $invoice)
->post('.../files/upload', [
'erp_org_id' => 5,
'erp_app_id' => 2, // Finance
'erp_emp_id' => 1042,
'erp_docu_id' => 8821, // PO
]);
// List all files for PO #8821
Http::get('.../erp/files', [
'erp_org_id' => 5,
'erp_docu_id' => 8821,
]);
What teams say

Trusted by builders
who care about security.

"We integrated SecVault into our ERP in an afternoon. The 4-key identity model was exactly what we needed — no hacks, no workarounds."
MR
Marcus Reynolds
CTO · Meridian ERP Solutions
"The zero-knowledge encryption gave our legal team the confidence to finally move contract storage to the cloud. It was the one feature nobody else offered."
SP
Shreya Patel
Head of Engineering · Formis Legal
"Cloudflare R2 with zero egress fees was the deciding factor. We were paying $400/month in bandwidth fees elsewhere. Now it's zero."
TK
Thomas Kramer
Founder · Stackbridge
Get started today

Your files deserve
a real vault.

Start free. Upgrade when you're ready. No credit card required for the free tier. No surprise fees. No vendor lock-in.

Create Free Account Check API Status