# Password Vault

Source: https://metadock.app/docs/password-vault

# Password Vault Beta

A built-in password manager. Logins, API keys, payment cards, secure notes, and captured browser sessions live in one encrypted store on your machine, behind a single master password. The browser's autofill talks to the same store, so credentials never have to leave it.

Beta

The vault is functional and your data is encrypted at rest, but it is still maturing and may have bugs. Keep an independent backup of any critical credential while it is in beta, and remember there is no master-password recovery (see below). [What “Beta” means](https://metadock.app/docs#beta).

## What it stores

A vault record is one of:

Record

What it holds

Login

A host, username, and sealed password, with optional TOTP seed, recovery codes, and notes

API key

A labeled secret, handy for the keys you paste into the AI chat, scripts, or MCP integrations

Payment card

Number, name, expiry, CVV, and notes, sealed end to end

Secure note

Free-form text for anything else: recovery phrases, 2FA backup codes, a hidden Wi-Fi password

Browser session

A captured cookie set used to revive a logged-in session in another profile

Never save

A tombstone for sites you've told MetaDock not to offer to save credentials for

Logins, API keys, and secure notes are what you add and edit by hand. Browser sessions and “never save” entries are written by the browser on your behalf.

## Master password

Setting up the vault asks for a master password. From then on, every record is encrypted with a key that only your master password can unlock.

-   •You set it once — MetaDock never sends it anywhere
-   •You can change it — changing rewraps the encryption key, so it's instant even with thousands of entries

Warning

**There is no recovery.**No reset email, no security questions. If you forget the master password, the vault's contents are gone for good. Pick something you can remember.

## Locking & auto-lock

The vault is either locked (no key in memory, nothing readable) or unlocked (key held in protected memory while you use it).

-   •Lock manually — from the vault dock or the lock command; the key is wiped from memory immediately
-   •Auto-lock on idle — by default the vault relocks after 15 minutes with no access; configurable
-   •Lock on app close — closing MetaDock locks the vault, and the next launch starts locked

While locked, autofill goes silent and any attempt to read a record fails with a clear “vault is locked” message. The vault is shared across every MetaDock window, so unlocking in one unlocks all of them, and locking anywhere locks it everywhere.

## Browser autofill

When you sign into a site in a MetaDock browser, MetaDock notices the form submit, captures the username and password, and offers to save them, scoped to that profile. Next time you visit the same domain in the same profile, the matching usernames appear as suggestions and picking one fills the password too.

-   •Suggestions surface inline — click into a username field and the matching saved logins for that profile drop down
-   •You stay in control — nothing fills without you picking it, and there's no auto-submit
-   •Unlock required — if the vault is locked, MetaDock prompts you to unlock rather than failing silently
-   •Never save here — a one-click option on the save prompt so a site stops asking

## Per-profile scoping

Vault records carry the same notion of [profile](https://metadock.app/docs/profiles) as the rest of MetaDock. A login captured in the **Acme Client** profile is tagged for that profile and only autofills there; the same site under your **Personal** profile saves a separate record. Nothing crosses between profiles by default.

-   •A specific profile — the default for anything the browser captures
-   •Any profile — the default for records you add by hand, for keys and notes you want available everywhere

You can change a record's profile at any time in the vault dock.

## Encryption

Your vault is encrypted on your machine and unlocked only by your master password. Nothing is stored in plain text, nothing is uploaded, and the master password is never sent anywhere. The encryption is additionally tied to your Windows login, so the vault only opens on your own signed-in machine.

-   •Nothing on disk is plaintext — host, username, label, passwords, card numbers, notes, and cookies are all sealed; the database holds only opaque rows
-   •Two locks, not one — an attacker with the database file still needs both your master password and the ability to log in as you on this Windows machine
-   •No cloud sync — the vault lives on your machine; there is no MetaDock-hosted vault server

## Good to know

-   •Search works on the unlocked vault — because everything on disk is sealed, listing and searching operate on the decrypted records held in memory while the vault is open
-   •Auto-lock can catch you mid-edit — if it fires while you have an unsaved edit open, the form closes, so save before walking away
-   •Moving machines — copy the database file or re-import; either way you need the master password to unlock it on the other machine
