added vault documentation

saminacodes · saminacodes · commit 99f34b4d8423 · 2025-05-05T16:43:25.000-06:00
diff --git a/apps/portal/src/app/Header.tsx b/apps/portal/src/app/Header.tsx
@@ -45,6 +45,10 @@ const links = [
 ];
 
 const toolLinks = [
+  {
+    name: "Vault",
+    href: "/vault",
+  },
   {
     name: "Chain List",
     href: "https://thirdweb.com/chainlist",
diff --git a/apps/portal/src/app/vault/get-started/page.mdx b/apps/portal/src/app/vault/get-started/page.mdx
@@ -0,0 +1,9 @@
+import { Callout } from "@doc";
+import { createMetadata } from "@/components/Document";
+
+# Get Started with Vault
+
+<Callout variant="info" title="Engine Vault">
+Vault is currently in beta as a part of Engine Cloud and will expand into more products. [Learn how to setup and manage your Vault with thirdweb Engine.](/engine/get-started)
+
+</Callout>
diff --git a/apps/portal/src/app/vault/key-concepts/access-control/page.mdx b/apps/portal/src/app/vault/key-concepts/access-control/page.mdx
@@ -0,0 +1,111 @@
+
+
+# Metadata-Based Access Control
+
+thirdweb Vault uses metadata patterns to map organizational structures directly into access control policies, eliminating the need to duplicate organizational hierarchies within the key management system.
+
+## Entity Tagging
+
+Each EOA can be tagged with arbitrary metadata key-value pairs representing organizational attributes:
+
+```json
+{
+  "team": "trading",
+  "region": "apac",
+  "purpose": "treasury",
+  "riskLevel": "high"
+}
+```
+
+## Pattern Matching with Rules
+
+Access tokens can be scoped using metadata rules that define precise access patterns:
+
+```json
+{
+  "metadataPatterns": [
+    {
+      "key": "team",
+      "rule": {
+        "pattern": "^trading$"
+      }
+    },
+    {
+      "key": "riskLevel",
+      "rule": {
+        "op": "lessThan",
+        "value": 3
+      }
+    }
+  ]
+}
+```
+
+## Practical Implementation Examples
+
+### Departmental Segregation
+
+An organization can create EOAs tagged with departmental metadata and issue access tokens that respect organizational boundaries:
+
+```json
+// Policy component for trading department
+{
+  "type": "eoa:signTransaction",
+  "allowlist": [],
+  "metadataPatterns": [
+    {
+      "key": "department",
+      "rule": {
+          "pattern": "^trading$"
+      }
+    },
+    {
+      "key": "region",
+      "rule": {
+          "pattern": "apac"
+      }
+    }
+  ],
+  "payloadPatterns": {
+    "chainId": [
+      {
+          "pattern": "^(1|137)$"
+      }
+    ],
+    "value": [
+      {
+            "op": "lessThan",
+            "value": "1000000000000000000"
+      }
+    ]
+  }
+}
+```
+
+### Multi-Team Collaboration
+
+For entities requiring shared access across teams:
+
+```json
+// EOA metadata
+{
+  "teams": "finance,trading,compliance",
+  "purpose": "treasury"
+}
+
+// Policy for finance team access
+{
+  "type": "eoa:signMessage",
+  "allowlist": [],
+  "metadataPatterns": [
+    {
+      "key": "teams",
+      "rule": {
+          "pattern": "finance"
+      }
+    }
+  ],
+  "chainId": 1,
+  "messagePattern": "^Confirm treasury operation:"
+}
+```
diff --git a/apps/portal/src/app/vault/key-concepts/access-tokens/page.mdx b/apps/portal/src/app/vault/key-concepts/access-tokens/page.mdx
@@ -0,0 +1,42 @@
+
+# Access Tokens
+Access tokens are a core security mechanism in thirdweb Vault that enable secure, controlled delegation of wallet operations. Created by either user accounts or service accounts, access tokens allow precise, policy-based access to account-owned entities like EOAs.
+
+### Purpose and Benefits
+
+Access tokens serve several critical functions:
+
+- **Delegation without sharing keys**: Grant specific capabilities to services, applications, or team members without exposing your admin key
+- **Fine-grained permission control**: Limit exactly what operations can be performed and under what conditions
+- **Instant revocation**: Immediately terminate access when needed
+- **Auditable access paths**: Track and monitor who has what level of access to your entities
+
+### Policy-Based Control
+
+Each access token is configured with a set of policies that define:
+
+1. **Which operations** can be performed (e.g., signing transactions, reading wallet information)
+2. **Which entities** can be accessed (using allowlists or metadata patterns)
+3. **What constraints** apply to each operation (e.g., transaction value limits, allowed chains)
+
+An access token can only perform operations explicitly permitted by its policy. For example, you might create an access token that can only:
+
+- Sign transactions on Ethereum mainnet
+- With a maximum value of 1 ETH
+- To a specific set of contract addresses
+- Using only wallets tagged with a particular purpose
+
+### Practical Applications
+
+Access tokens enable critical workflows for blockchain applications:
+
+- **Application integrations**: Let your application sign transactions without holding private keys
+- **Team collaboration**: Grant different team members appropriate access levels to shared wallets
+- **Automated processes**: Enable secure automated signing for scheduled operations
+- **Temporary access**: Create time-limited tokens for specific projects or partnerships
+
+### Using Metadata for Flexible Control
+
+A particularly powerful feature of access tokens is their ability to use metadata patterns for entity access control. Rather than maintaining explicit allowlists, you can tag your EOAs with descriptive metadata and then create access tokens that match specific patterns.
+
+This metadata-based approach provides tremendous flexibility in how you organize and control access to your wallet infrastructure, which is detailed further in the sections below
diff --git a/apps/portal/src/app/vault/key-concepts/accounts/page.mdx b/apps/portal/src/app/vault/key-concepts/accounts/page.mdx
@@ -0,0 +1,36 @@
+import { Callout } from "@doc";
+
+# Accounts
+
+Vault will support 2 accounts types
+
+1. User Account (*coming soon*):
+2. Service Account
+
+## User Account
+
+User accounts can be authenticated by:
+
+1. passkey
+2. SIWE
+3. OTP (email/SMS)
+4. oauth (google etc)
+
+These are meant to be owned and operated by end-users and are ideal for integrating with consumer facing applications that want to provide a web2 like blockchain experience, while still being fully non-custodial.
+
+## Service Accounts
+
+Service accounts in thirdweb Vault provide a hierarchical security model for organizational key management, combining administrative control with precise delegation capabilities. These are ideal for applications where you have programmatic access control needs for wallets, but still want to keep the system non-custodial.
+
+<Callout variant="info" title="Engine Service Accounts">
+thirdweb uses vault service accounts to power engine
+</Callout>
+
+### Service Account Credentials
+
+A service account has two primary credentials:
+
+1. **Admin Key**: Grants access to every operation on every entity owned by the account
+2. **Rotation Code**: Used to invalidate current credentials and generate new ones during security events
+
+Service Accounts can used in combination with access-tokens to build non-custodial programmable access control for your enterprise applications.
diff --git a/apps/portal/src/app/vault/key-concepts/entities/page.mdx b/apps/portal/src/app/vault/key-concepts/entities/page.mdx
@@ -0,0 +1,21 @@
+# Entities
+
+Entities are the resources secured by vault. Entities are owned by a vault account.
+Vault currently secures the EOA entity.
+
+## EOA
+
+An EOA (Externally Owned Account) is an EVM account controlled by a private key held by a user. It's a fundamental part of the EVM ecosystem, used for managing funds, initiating transactions, and interacting with smart contracts.
+The private key to the EOA is always stored encrypted, and only decrypted within vault.
+
+Vault supports the following EOA related operations (API reference):
+
+```typescript
+eoa:list
+eoa:create
+eoa:signMessage
+eoa:signTypedData
+eoa:signTransaction
+eoa:signStructuredMessage
+eoa:signAuthorization
+```
diff --git a/apps/portal/src/app/vault/layout.tsx b/apps/portal/src/app/vault/layout.tsx
@@ -0,0 +1,17 @@
+import { DocLayout } from "@/components/Layouts/DocLayout";
+import { createMetadata } from "@doc";
+import { sidebar } from "./sidebar";
+
+export default async function Layout(props: { children: React.ReactNode }) {
+  return (
+    <DocLayout sideBar={sidebar} editPageButton={true}>
+      {props.children}
+    </DocLayout>
+  );
+}
+
+export const metadata = createMetadata({
+  title: "Vault",
+  description:
+    "Vault is an open-source non-custodial key management service, secured with TEE architecture (AWS Nitro Enclaves) and designed for blockchain applications.",
+});
diff --git a/apps/portal/src/app/vault/page.mdx b/apps/portal/src/app/vault/page.mdx
@@ -0,0 +1,52 @@
+import { createMetadata } from "@/components/Document";
+import { DocImage, FeatureCard, OpenSourceCard, Callout } from "@doc";
+import { ArrowLeftRight, UserLock, Users, Wallet } from "lucide-react";
+
+
+export const metadata = createMetadata({
+	title: "thirdweb Vault",
+	description: "An open-source, backend server that reads, writes, and deploys contracts at production scale.",
+});
+
+
+# Vault
+
+thirdweb vault is an open-source non-custodial key management service, secured with TEE architecture (AWS Nitro Enclaves) and designed for blockchain applications.
+
+## Features
+
+<div
+	className="my-4 grid gap-2 md:grid-cols-2 lg:grid-cols-2 "
+>
+	<FeatureCard
+		title="Non-Custodial Wallets"
+		description="Generate and manage EOAs where private keys remain encrypted and secure"
+		iconUrl={<Wallet />}
+	/>
+
+    	<FeatureCard
+		title="Programmatic Signing"
+		description="Enable applications to request signatures based on rules without exposing keys"
+		iconUrl={<ArrowLeftRight />}
+	/>
+
+    <FeatureCard
+		title="Sophisticated Access Models"
+		description="Delegate signing capabilities with granular access controls"
+        iconUrl={<UserLock />}
+	/>
+
+    <FeatureCard
+		title="Flexibility"
+		description="Basic wallet functionality to multi-user organizations with complex permissioning"
+		iconUrl={<Users/>}
+	/>
+
+</div>
+
+With vault, you can build applications where:
+
+- Your users never need to manage private keys
+- Your backend services can request signatures without having access to private keys
+- Your users can create controlled access for team members, services, or automation
+- Security is enforced cryptographically, not through promises
diff --git a/apps/portal/src/app/vault/sidebar.tsx b/apps/portal/src/app/vault/sidebar.tsx
@@ -0,0 +1,45 @@
+import type { SideBar } from "@/components/Layouts/DocLayout";
+import { Key, Rocket, ShieldQuestion, Vault } from "lucide-react";
+
+export const sidebar: SideBar = {
+  name: "Vault",
+  links: [
+    {
+      name: "Overview",
+      href: "/vault",
+      icon: <Vault />,
+    },
+    {
+      name: "Get Started",
+      href: "/vault/get-started",
+      icon: <Rocket />,
+    },
+    {
+      name: "Key Concepts",
+      icon: <Key />,
+      links: [
+        {
+          name: "Entities",
+          href: "/vault/key-concepts/entities",
+        },
+        {
+          name: "Accounts",
+          href: "/vault/key-concepts/accounts",
+        },
+        {
+          name: "Access Tokens",
+          href: "/vault/key-concepts/accounts",
+        },
+        {
+          name: "Access Control",
+          href: "/vault/key-concepts/access-control",
+        },
+      ],
+    },
+    {
+      name: "Security",
+      href: "/vault/key-concepts/security",
+      icon: <ShieldQuestion />,
+    },
+  ],
+};
