> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tinycloud.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Data Vault

> Unlock the vault, store encrypted values, and share them.

Use the data vault when you want client-side encrypted KV storage instead of
plain TinyCloud KV.
For the trust model and public/primary space split, see
[Data Vault](/concepts/data-vault).

## Unlock the vault

```typescript theme={null}
import { PrivateKeySigner, TinyCloudNode } from "@tinycloud/node-sdk";

const tc = new TinyCloudNode({
  privateKey: process.env.WALLET_PRIVATE_KEY,
  host: "https://node.tinycloud.xyz",
  prefix: "my-app",
});

await tc.signIn();
const signer = new PrivateKeySigner(process.env.WALLET_PRIVATE_KEY);
await tc.vault.unlock(signer);
```

Unlocking derives the encryption keys locally. The same wallet produces the
same vault keys again later, so the encrypted data remains readable across
sessions.

## Store and read values

```typescript theme={null}
await tc.vault.put("medical/records", {
  bloodType: "O+",
  allergies: ["penicillin"],
});

const result = await tc.vault.get("medical/records");
```

Use `list()`, `head()`, and `delete()` the same way you would on a normal KV
store, but remember that the server only sees encrypted blobs.

## Share encrypted data

To share a vault entry, grant the recipient access to the entry key and add a
delegation for the same path scope.

```typescript theme={null}
// Assuming alice and bob are signed-in TinyCloudNode instances.
await alice.vault.reencrypt("medical/records", bob.did);

const delegation = await alice.createDelegation({
  delegateDID: bob.did,
  path: "",
  actions: ["tinycloud.kv/get", "tinycloud.kv/metadata"],
  expiryMs: 24 * 60 * 60 * 1000,
});

const access = await bob.useDelegation(delegation);
await bob.vault.unlock(new PrivateKeySigner("0x..."));
const shared = await bob.vault.getShared(alice.did, "medical/records", {
  kv: access.kv,
});
```

## CLI

All `tc vault` commands require `--private-key <hex>` or `TC_PRIVATE_KEY`,
because the CLI resolves a private key before running vault operations.

```bash theme={null}
tc vault unlock
tc vault put api-key "sk_live_abc123"
tc vault get api-key
tc vault list --prefix credentials/
tc vault head api-key
tc vault delete api-key
```

## When to use this page

Use the vault when the data must stay encrypted on the client. If you only need
plain TinyCloud KV, use the KV guide instead.

## Source note

The vault API names and the unlock/share flow come from the JS SDK and its
WASM bindings. This guide stays on the usage path and leaves the trust model to
the concept page.
