storage-p
All guides

Projects, team access and API tokens

Projects let a team share a set of secrets while the server stays zero-knowledge. Scoped API tokens let external systems read only what you allow, optionally behind your approval.

Turn a folder into a project

Create a folder and group related items in it. Sharing the folder creates a Project Key and re-encrypts those items under it, so access can be granted and revoked per member.

Grant a teammate access

  1. Open the folder’s Access panel, choose User, and enter their email.
  2. Pick read, or enable Allow write for read-write access.
  3. Grant. The Project Key is sealed to their public key (X25519); revoke any time.

Create a scoped API token

  1. Go to the API tokens page and create a New token; give it a name.
  2. Choose which individual items or whole projects it may read, and set a TTL and a rate limit.
  3. Turn on “require confirmation on every read” for sensitive access.
  4. Copy both the token (sent as a Bearer header) and the access key (tokenKey, used to decrypt) — they are shown once.

The server never stores the tokenKey. Send the token and key to the integration over a secure channel.

Approve reads from Telegram

When confirmation is required, each read pauses until you approve it from the in-app bell or a Telegram message. Connect Telegram once to approve from your phone. The integration receives the still-encrypted item only after you approve, then decrypts it locally with the tokenKey.