Skip to main content
Back to Blog
featuresteamscollaboration

Introducing Team Collaboration Features

CloudKeep Team· ProductFebruary 8, 20265 min read

Organizations and Team Vaults

Every team in CloudKeep starts with an organization. An organization is a container for people, vaults, and billing. You can create multiple organizations — one for your company, one for your side project, one for your open-source community.

Within an organization, team vaults let you group related secrets together. A "Production" vault for your live environment, a "CI/CD" vault for pipeline tokens, a "Third-Party" vault for vendor API keys — you decide the structure.

Role-Based Permissions

CloudKeep supports four permission levels, each a strict superset of the one below it:

  • Owner — Full control. Can delete the organization, manage billing, and promote or demote any member. Every organization has at least one owner.
  • Admin — Can create and delete vaults, invite or remove members, and manage permissions. Cannot delete the organization or change billing.
  • Member — Can read and write secrets in vaults they have been granted access to. Cannot manage organization settings or invite new members.
  • Read-Only — Can view secrets but cannot create, edit, or delete them. Ideal for auditors or on-call engineers who need visibility without write access.

Permissions are assigned per vault, so a developer can be an admin on the staging vault but read-only on production.

Secure Sharing Links

Sometimes you need to share a single secret with someone outside your organization — a contractor, a partner, or a support engineer. CloudKeep supports time-limited sharing links for exactly this purpose.

When you create a sharing link:

  1. The secret is re-encrypted with a one-time key.
  2. The link embeds the decryption key in the URL fragment (never sent to the server).
  3. You set an expiration: 1 hour, 24 hours, 7 days, or a custom duration.
  4. You can optionally require a password to open the link.
  5. You can limit the link to a single view — once opened, it self-destructs.

The server never sees the decryption key, so even if the link is intercepted in transit, the ciphertext alone is useless.

Access Requests

Not every permission change needs to go through an admin proactively. CloudKeep supports an access request workflow:

  1. A team member navigates to a vault they do not have access to.
  2. They click Request Access and provide a reason.
  3. Vault admins and owners receive a notification (email, Slack, or Discord via webhooks).
  4. An admin approves or denies the request with one click.
  5. If approved, the vault key is encrypted for the new member and they gain immediate access.

This keeps the principle of least privilege intact while reducing friction for legitimate access needs.

Emergency Access

For business continuity, CloudKeep supports emergency access contacts. You designate trusted team members who can request access to your personal vaults in an emergency. The process includes a configurable waiting period (24 hours by default) during which you can deny the request. If you do not respond within the waiting period, access is automatically granted.

This ensures that if a team member is unavailable — on vacation, unreachable, or has left the company — critical secrets are not permanently locked away.

Getting Started with Teams

Setting up team collaboration takes less than five minutes:

  1. Create an organization from your dashboard.
  2. Invite team members by email.
  3. Create vaults and assign permissions.
  4. Start collaborating on shared secrets.

Every action is logged in the audit trail, so you always know who accessed what and when.

All posts