Ti · Feature

Secrets vault: passwords, API keys, and critical access protected by AI

Replace the password spreadsheet and the chats with tokens. The Vault stores your company's sensitive credentials (admin passwords, API keys, tokens, certificates, server access), shares them only with whoever needs them, and audits every read. The AI detects unusual access and warns you before anything leaks.

Advanced 8 min read bóvedasecretoscontraseñasseguridadAPI keys
Request a demo Open in Pilot Desk
Screenshot of the Vault module in Pilot Desk
In 30 seconds
  • It is where your company stores critical credentials: passwords, API keys, access to external systems.
  • It is not for individual users — it is company-level.
  • Each secret has an owner, defined permissions and an audit trail of who viewed it.
  • It replaces the 'Excel with passwords' that circulates by email.

What is the Vault?

It is the place where your company stores things that cannot live in an Excel file or a chat: admin passwords, API keys, certificates, server access, payment gateway tokens.

Store a secret

  1. Click 'New secret'.
  2. A clear name: 'Stripe — Production API key'.
  3. Value: the password, key or token.
  4. Category: API keys, passwords, certificates, tokens.
  5. Owner (who administers it) and members with access.
  6. Optional description and notes.
  7. Save.

View a secret

The value is hidden by default. Click 'Show'. Pilot asks for confirmation and records: who viewed it, when, from what device.

Permissions: who sees what

  • Owner: the person responsible. Can edit, delete, adjust permissions.
  • Members with access: can view and copy to the clipboard. They cannot modify.
  • Company admins: see everything (but are also audited).

Audit trail

The Audit tab is the black box: every access is recorded. If a secret leaks, the log tells you who accessed it. If a user leaves, you can review what they accessed before their departure.

Example: rotating an important password

Example

It is time to rotate your servers' admin password (a good quarterly practice).

  1. You open the Vault, find the secret 'Production server admin'.
  2. You click Edit. You ask IT to generate a new password.
  3. You paste the new value. You save.
  4. Pilot notifies the members with access: 'this password was changed'.
  5. Each one looks it up when they need it — and every access is recorded.

Password rotated. Everyone authorized is up to date. Full traceability of who used it and when after the change.

How it connects

How it connects: Vault

AdminGeneral permissions and access to the module are managed here. NotificationsChanges to secrets generate a notification to the members with access. ReportsThe audit log can be exported for security reviews.

Security tips

  • Rotate critical secrets every 90 days (passwords, production API keys).
  • Principle of least privilege: only grant access to those who truly need it.
  • Review the audit trail once a month. Look for odd patterns (late-night access, unknown IPs).
  • When someone leaves the company, revoke their access before their resignation takes effect.
  • Do not put sensitive data in the secret's 'notes' — they are visible to everyone with access to the secret.

If something does not work

If something fails

I cannot view a secret I need.

Ask the secret's owner (or the company admin) to add you as a member with access.

The time in the audit trail does not match my clock.

The audit trail stores times in UTC. Pilot converts it to your time zone. Check your zone in your profile.

Real use cases

Approval automation

Credential rotation and access approvals with a flow and a record.

Integrations that power this feature

Connect Pilot with the tools your team already uses. The AI orchestrates between them without you switching screens.

SlackSlack Microsoft 365Microsoft 365 Google WorkspaceGoogle Workspace

Industries where it shines

Technology

Cómo Pilot ayuda al sector technology.

Finance

Cómo Pilot ayuda al sector finance.

Professional services

Cómo Pilot ayuda al sector professional services.

Healthcare

Cómo Pilot ayuda al sector healthcare.

Frequently asked questions

Is this like 1Password or LastPass?
It shares the base idea (storing encrypted credentials with permissions), but the Vault is built for the company, not personal use with a browser extension. The key difference: it lives inside the same ecosystem your team already works in (CRM, calendar, HR, admin), each access audit cross-references the user's activity, and the AI detects unusual patterns by looking at context a standard manager doesn't have. If your team already uses 1Password for personal passwords, you can keep it; the Vault covers the corporate credentials that shouldn't live there (production API keys, server access, deployment secrets).
How is the content encrypted?
Secret values are encrypted at rest with enterprise-grade encryption and decrypted only when an authorized user clicks 'Show' in the context of their active session. Transmission is always over an encrypted channel. Encryption keys are managed with standard industry practices, with periodic rotation. For clients with specific compliance requirements (financial, healthcare, government) there are dedicated deployment options and customer-managed key control — ask during onboarding.
Who can see which secrets?
Each secret has an owner (responsible party, can edit/delete/adjust permissions), members with access (can view and copy to clipboard, can't modify), and optionally members with programmatic-use permission (can invoke the secret from an integration without seeing it on screen). Company admins see the full list of secrets but their access is also audited — there's no 'master account' that escapes the log. When someone leaves, you revoke all their access in bulk from the admin panel.
Does the AI really detect suspicious access, or is it just a log?
It does both. The audit log is exhaustive (every action recorded with timestamp, user, device, and outcome), but the AI also learns each user's and secret's normal pattern and warns you when something falls outside it: a read from a new country, a burst of several secrets in a few minutes, a read of a secret the user never touched before, access outside the usual hours. You set the alert threshold. The alert arrives by in-app notification, email, and optionally to a Slack or Teams channel for the security team.
How much does it cost?
Vault comes as an add-on module to enterprise plans. Pricing depends on the number of users with access to the module, the volume of secrets, and compliance requirements. For companies with regulated needs (financial, healthcare) there's a dedicated package. Contact us for a tailored proposal with discounts for LATAM teams.

Do you know where your company's keys are today?

Book a 30-minute demo. We show you how to set up the Vault, how access is shared with granular permissions, how the audit trail works, and what kind of patterns the AI detects. Then we build the plan that fits your company.

Request a demo