Prove you're here.
Hardware-backed authentication that issues short-lived credentials only after a human touches a YubiKey. One touch, one PIN, one 8-hour session β then SSH and AWS just work.
$ vouch login
π Touch your YubiKey...
Enter PIN: ****
β Authenticated as you@company.com
β Session valid for 8 hours
$ ssh prod.example.com # Just works
$ aws s3 ls # Just works
$ git push origin main # Just worksModern authentication is broken in three ways:
-
Push notification fatigue β Duo pings you 47 times a day. Users approve reflexively. MFA fatigue attacks succeed because humans are tired.
-
Credential sprawl β Long-lived API keys in
~/.aws/credentials. GitHub PATs that never expire. SSH keys from 2019 still floating around. -
No presence verification β Existing tools verify devices or sessions, but not that a human is actually there. A compromised laptop with cached credentials is indistinguishable from its owner.
Vouch requires physical presence for every credential issuance:
| Traditional Auth | Vouch |
|---|---|
| Password + SMS/Push | YubiKey touch + PIN |
| Long-lived API keys | 8-hour certificates |
| "Remember this device" | Per-session attestation |
| Optional hardware MFA | Mandatory hardware MFA |
| Device trust | Human presence proof |
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Your Machine β
β β
β ββββββββββββ ββββββββββββ ββββββββββββββββββββββββββββ β
β β YubiKey ββββββΆβ vouch ββββββΆβ Short-lived credentials β β
β β (touch) β β login β β managed by vouch agent β β
β ββββββββββββ ββββββββββββ ββββββββββββββββββββββββββββ β
β β β β
β βΌ βΌ β
β ββββββββββββ ββββββββββββββββ β
β β vouch β β Native tools β β
β β server β β (ssh, aws) β β
β β (OIDC) β β β β
β ββββββββββββ ββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
vouch loginβ Touch YubiKey, enter PIN, get 8-hour session- Vouch issues credentials β SSH certificates, AWS STS tokens
- Tools just work β Standard credential helpers, no wrappers needed
Unlike optional MFA that can be bypassed, Vouch only issues credentials after FIDO2 verification. The credential itself carries proof of presence.
- SSH certificates: 8 hours
- AWS credentials: 1 hour (auto-refresh within session)
No more rotating keys. No more revoking access. Credentials simply expire.
Vouch configures standard credential providers:
- SSH:
IdentityAgentpointing to vouch's signing agent - AWS:
credential_processin~/.aws/config
After vouch login, existing workflows are unchanged.
# macOS
brew install vouch-sh/tap/vouch
# Linux (Debian/Ubuntu)
# See https://packages.vouch.sh for repository setup
sudo apt install vouch
# Linux (RPM-based)
# See https://packages.vouch.sh for repository setup
sudo dnf install vouch
# From source
cargo install --git https://github.com/vouch-sh/vouch vouch-cli# Enroll with your YubiKey (one-time, opens browser)
vouch enroll
# Configure integrations
vouch setup ssh # Configures SSH to use vouch certificates
vouch setup aws --role arn:aws:iam::ID:role/name # Configures AWS credential_process
vouch setup eks --cluster my-cluster # Configures kubectl for EKS via IAM
vouch setup github --configure # Configures git credential helper for GitHub# Start your day
vouch login
# Everything just works for 8 hours
ssh prod-server
aws s3 ls
git clone https://github.com/your-org/private-repo.git
# Check session status
vouch status- YubiKey 5 series (firmware 5.2+) with FIDO2/WebAuthn support
- macOS 12+ or Linux (glibc 2.31+) β Windows support is planned
- For AWS: IAM role with OIDC federation configured
- For EKS: Cluster with Access Entries configured for IAM role
- For SSH: CA public key distributed to target hosts
- For GitHub: Organization admin connects the Vouch GitHub App
Vouch consists of:
| Component | Description | Source |
|---|---|---|
vouch CLI |
User-facing commands, credential helpers | Open source (Apache-2.0 OR MIT) |
vouch-agent |
Background daemon, session management | Open source (Apache-2.0 OR MIT) |
vouch-common |
Shared types, FIDO2 helpers, API client | Open source (Apache-2.0 OR MIT) |
| Vouch Server | OIDC provider, certificate authority | BSL 1.1 (converts to Apache-2.0) |
The CLI is fully open source for security auditing. The server source is available under the Business Source License 1.1, which converts to Apache-2.0 after two years.
Vouch is designed for high-security environments:
- Memory-safe implementation β Written in Rust
- No credential storage β Vouch never sees your private keys
- Cryptographic presence attestation β FIDO2 with user verification
- Short-lived credentials β Minimize blast radius of compromise
- Audit trail β Every credential issuance logged with attestation
See the Security Model for our security philosophy and the Threat Model for STRIDE analysis.
Full documentation is available as an mdBook:
# Build and serve locally
make docs-serveKey sections:
- Getting Started β Installation and first enrollment
- Server Deployment β Deploy and configure the Vouch server
- Integrations β SSH, AWS, EKS, GitHub, Docker, and more
- Architecture β System design and data flows
- Security Model β Security controls and incident response
- Threat Model β STRIDE analysis and mitigations
- Air-Gapped Deployment β On-premises installation guide
We welcome contributions! See CONTRIBUTING.md for guidelines.
The CLI is open source under Apache-2.0 OR MIT. We believe security tools should be auditable.
- CLI, agent, and shared libraries: Apache-2.0 OR MIT
- Server: BSL 1.1 (converts to Apache-2.0 after 2 years)
- Documentation: CC-BY-4.0
Vouch β Prove you're here.
Website Β· Documentation Β· GitHub