Zero-Knowledge Secret Vault
A secure, distributed, client-authenticated secret storage engine built on Cloudflare Workers and Workers KV. The server is blind: plaintext secrets and private keys are never transmitted or processed.
POST
/init?projectId=[id]
Initializes a new project space and secures it with the client's public keys. Prevents project collision or hijacking.
// Body format
{
"authPubJwk": { "kty": "OKP", "crv": "Ed25519", "x": "..." },
"encPubJwk": { "kty": "RSA", "n": "...", "e": "..." }
}
POST
/store?projectId=[id]&secretName=[name]
Locally encrypts a secret with the RSA public key and uploads it with an Ed25519 request signature to authorize the write.
// Body format (signature over "store:[secretName]:[ciphertext]")
{
"ciphertext": "base64-rsa-oaep-ciphertext-payload",
"signature": "hex-encoded-ed25519-signature"
}
POST
/retrieve?projectId=[id]&secretName=[name]
Fetches the encrypted ciphertext. Requires a signature over a timestamp-based challenge to authorize read access and prevent replay attacks.
// Body format (signature over "timestamp_in_ms")
{
"challenge": "1782393284000",
"signature": "hex-encoded-ed25519-signature"
}Client Sign
→
Worker Verify
→
KV Write/Read