Skip to main content
Use the data vault when you want client-side encrypted KV storage instead of plain TinyCloud KV. For the trust model and public/primary space split, see Data Vault.

Unlock the vault

Unlocking derives the encryption keys locally. The same wallet produces the same vault keys again later, so the encrypted data remains readable across sessions.

Store and read values

Use list(), head(), and delete() the same way you would on a normal KV store, but remember that the server only sees encrypted blobs.

Share encrypted data

To share a vault entry, grant the recipient access to the entry key and add a delegation for the same path scope.

CLI

All tc vault commands require --private-key <hex> or TC_PRIVATE_KEY, because the CLI resolves a private key before running vault operations.

When to use this page

Use the vault when the data must stay encrypted on the client. If you only need plain TinyCloud KV, use the KV guide instead.

Source note

The vault API names and the unlock/share flow come from the JS SDK and its WASM bindings. This guide stays on the usage path and leaves the trust model to the concept page.