We run it. You own it. Your L2 keys never leave your device.
Hosted on Hostkey TIER III infrastructure. Pick your region at signup.
Or run it yourself. We embrace that too. No account, no payment, no questions asked.
The security model
Your L2 encryption key is derived client-side from your Touch ID or security key. It never leaves your device. Our servers store ciphertext they cannot decrypt — regardless of who owns the rack, the building, or the country it sits in.
Pick your region for speed. Pick it for compliance if your organisation requires it. But your private fields are safe in any of them.
Four ways in. Each one designed for a different context. All pointing at the same encrypted store.
Claude, GPT, or any MCP-compatible agent can search credentials, fetch API keys, and generate 2FA codes — scoped to exactly what you allow.
Autofill passwords, generate 2FA codes inline, and unlock L2 fields with Touch ID — without leaving the page you're on.
Pipe credentials directly into scripts and CI pipelines. vault get github.token — done.
REST API with scoped tokens. Give your deployment pipeline read access to staging keys. Nothing else.
The competition
Real complaints from real users — about 1Password, Bitwarden, and LastPass. Pulled from forums, GitHub issues, and Hacker News. Not cherry-picked from our own users.
1PASSWORD — Community Forum
"The web extensions are laughably bad at this point. This has been going on for months. They either won't fill, wont' unlock, or just plain won't do anything (even clicking extension icon). It's so bad"
— notnotjake, April 2024 ↗✓ vault1984: No desktop app dependency. The extension talks directly to the local vault binary — no IPC, no sync, no unlock chains.
BITWARDEN — GitHub Issues
"Every single website loads slower. From Google, up to social media websites like Reddit, Instagram, X up to websites like example.com. Even scrolling and animation stutters sometimes. javascript heavy websites like X, Instagram, Reddit etc. become extremely sluggish when interacting with buttons. So for me the Bitwarden browser extension is unusable. It interferes with my browsing experience like malware."
— julianw1011, 2024 ↗✓ vault1984: Zero content scripts. The extension injects nothing into pages — it fills via the browser autofill API only when you ask.
LASTPASS — Hacker News
"The fact they're drip-feeding how bad this breach actually was is terrible enough... Personally I'm never touching them again."
— intunderflow, January 2023 ↗✓ vault1984: Self-host or use hosted with L2 encryption — we mathematically cannot read your private fields. No vault data to breach.
1PASSWORD — Community Forum
"Since doing so, it asks me to enter my password every 10 minutes or so in the chrome extension"
— Anonymous (Former Member), November 2022 ↗✓ vault1984: WebAuthn-first. Touch ID is the primary unlock. Session lives locally — no server-side expiry forcing re-auth.
BITWARDEN — Community Forums
"the password not only auto-filled in the password field, but also auto-filled in reddit's search box!"
"if autofill has the propensity at times to put an entire password in plain text in a random field, autofill seems like more risk than it's worth."
— xru1nib5 ↗✓ vault1984: LLM field mapping. The extension reads the form, asks the model which field is which — fills by intent, not by CSS selector.
BITWARDEN — Community Forums
"Bitwarden REFUSES to autofill the actual password saved for a given site or app...and instead fills an old password. It simply substitutes the OLD password for the new one that is plainly saved in the vault."
— gentlezacharias ↗✓ vault1984: LLM field mapping matches by intent. Entries are indexed by URL — the right credential for the right site, every time.
All quotes verbatim from public posts. URLs verified. View sources →
No tiers. No per-seat. No "contact sales." Two options.
Forever. MIT license.
One binary, your machine, your data. Full source on GitHub.
We manage it. You use it.
New York, Amsterdam, Frankfurt, Helsinki. Pick your region.