Client keys

A client key is the cryptographic credential assigned to an instance of CipherStash Proxy or an application using an SDK like the Encryption SDK. Each client key gets a unique ID and key pair, so you can revoke its access at any time.

Types of client keys

CipherStash has two types of client keys:

Device-backed client keys

Device-backed client keys are created automatically when a developer runs npx stash init. They are tied to a specific developer's user account and device.

• Created automatically during initialization — no manual setup required
• Each developer gets their own unique client key
• Used for local development only
• Access can be revoked per developer without affecting other team members

Application client keys

Application client keys are created manually in the Dashboard for production, CI/CD, and other non-interactive environments.

• No device attached — identified solely by CS_CLIENT_ID and CS_CLIENT_KEY
• Used for production and CI/CD where there is no interactive login
• Credentials are set via environment variables

See Going to production for a guide to creating application client keys.

Client keys and keysets

When created, each client key is associated with a keyset. This allows the client key to perform encryption and decryption operations within the keyset.

Granting access to additional keysets

When creating a new client key, you can associate it with one or more keysets to grant access to the encrypted data in those keysets.

Revoking access to a client key

At any time, you can revoke access to a client key by removing the association with the keysets. This prohibits that client key from accessing the encrypted data in those keysets.

Creating a client key

Automatic (local development)

Run npx stash init to create a device-backed client key automatically. See Getting started.

Manual (production)

In the CipherStash Dashboard, you can create an application client key by clicking the Create a new client button in the Clients page.