diff --git a/.changeset/icy-islands-dress.md b/.changeset/icy-islands-dress.md
new file mode 100644
index 00000000000..d099bb7f5a1
--- /dev/null
+++ b/.changeset/icy-islands-dress.md
@@ -0,0 +1,5 @@
+---
+"@thirdweb-dev/service-utils": patch
+---
+
+Add encryption utilities
diff --git a/.changeset/loud-mails-peel.md b/.changeset/loud-mails-peel.md
new file mode 100644
index 00000000000..5f462db9409
--- /dev/null
+++ b/.changeset/loud-mails-peel.md
@@ -0,0 +1,5 @@
+---
+"thirdweb": patch
+---
+
+Make vault access token optional
diff --git a/apps/dashboard/src/@/components/project/create-project-modal/index.tsx b/apps/dashboard/src/@/components/project/create-project-modal/index.tsx
index 01b23707ae3..97ec1dd59b8 100644
--- a/apps/dashboard/src/@/components/project/create-project-modal/index.tsx
+++ b/apps/dashboard/src/@/components/project/create-project-modal/index.tsx
@@ -38,6 +38,7 @@ import { createProjectClient } from "@/hooks/useApi";
 import { useDashboardRouter } from "@/lib/DashboardRouter";
 import { projectDomainsSchema, projectNameSchema } from "@/schema/validations";
 import { toArrFromList } from "@/utils/string";
+import { createVaultAccountAndAccessToken } from "../../../../app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client";
 
 const ALL_PROJECT_SERVICES = SERVICES.filter(
   (srv) => srv.name !== "relayer" && srv.name !== "chainsaw",
@@ -63,6 +64,10 @@ const CreateProjectDialog = (props: CreateProjectDialogProps) => {
     <CreateProjectDialogUI
       createProject={async (params) => {
         const res = await createProjectClient(props.teamId, params);
+        await createVaultAccountAndAccessToken({
+          project: res.project,
+          projectSecretKey: res.secret,
+        });
         return {
           project: res.project,
           secret: res.secret,
diff --git a/apps/dashboard/src/@/hooks/useApi.ts b/apps/dashboard/src/@/hooks/useApi.ts
index 5f7e75e9431..ca7d4864167 100644
--- a/apps/dashboard/src/@/hooks/useApi.ts
+++ b/apps/dashboard/src/@/hooks/useApi.ts
@@ -2,6 +2,7 @@ import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
 import { useActiveAccount } from "thirdweb/react";
 import { apiServerProxy } from "@/actions/proxies";
 import type { Project } from "@/api/projects";
+import { createVaultAccountAndAccessToken } from "../../app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client";
 import { accountKeys, authorizedWallets } from "../query-keys/cache-keys";
 
 // FIXME: We keep repeating types, API server should provide them
@@ -311,26 +312,35 @@ export type RotateSecretKeyAPIReturnType = {
   data: {
     secret: string;
     secretMasked: string;
+    secretHash: string;
   };
 };
 
-export async function rotateSecretKeyClient(params: {
-  teamId: string;
-  projectId: string;
-}) {
+export async function rotateSecretKeyClient(params: { project: Project }) {
   const res = await apiServerProxy<RotateSecretKeyAPIReturnType>({
     body: JSON.stringify({}),
     headers: {
       "Content-Type": "application/json",
     },
     method: "POST",
-    pathname: `/v1/teams/${params.teamId}/projects/${params.projectId}/rotate-secret-key`,
+    pathname: `/v1/teams/${params.project.teamId}/projects/${params.project.id}/rotate-secret-key`,
   });
 
   if (!res.ok) {
     throw new Error(res.error);
   }
 
+  try {
+    // if the project has a vault admin key, rotate it as well
+    await createVaultAccountAndAccessToken({
+      project: params.project,
+      projectSecretKey: res.data.data.secret,
+      projectSecretHash: res.data.data.secretHash,
+    });
+  } catch (error) {
+    console.error("Failed to rotate vault admin key", error);
+  }
+
   return res.data;
 }
 
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/components/ProjectFTUX/ProjectFTUX.tsx b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/components/ProjectFTUX/ProjectFTUX.tsx
index c7b42c1c6f8..44bb77edba4 100644
--- a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/components/ProjectFTUX/ProjectFTUX.tsx
+++ b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/components/ProjectFTUX/ProjectFTUX.tsx
@@ -62,9 +62,8 @@ function IntegrateAPIKeySection({
           <ClientIDSection clientId={clientId} />
           {secretKeyMasked && (
             <SecretKeySection
-              projectId={project.id}
+              project={project}
               secretKeyMasked={secretKeyMasked}
-              teamId={project.teamId}
             />
           )}
         </div>
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/components/ProjectFTUX/SecretKeySection.tsx b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/components/ProjectFTUX/SecretKeySection.tsx
index 0dd204a0820..dcb5fa6f7f9 100644
--- a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/components/ProjectFTUX/SecretKeySection.tsx
+++ b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/components/ProjectFTUX/SecretKeySection.tsx
@@ -1,13 +1,13 @@
 "use client";
 
 import { useState } from "react";
+import type { Project } from "@/api/projects";
 import { rotateSecretKeyClient } from "@/hooks/useApi";
 import { RotateSecretKeyButton } from "../../settings/ProjectGeneralSettingsPage";
 
 export function SecretKeySection(props: {
   secretKeyMasked: string;
-  teamId: string;
-  projectId: string;
+  project: Project;
 }) {
   const [secretKeyMasked, setSecretKeyMasked] = useState(props.secretKeyMasked);
 
@@ -31,8 +31,7 @@ export function SecretKeySection(props: {
           }}
           rotateSecretKey={async () => {
             return rotateSecretKeyClient({
-              projectId: props.projectId,
-              teamId: props.teamId,
+              project: props.project,
             });
           }}
         />
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/settings/ProjectGeneralSettingsPage.stories.tsx b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/settings/ProjectGeneralSettingsPage.stories.tsx
index ee6a3ea0c6c..4dec460db9f 100644
--- a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/settings/ProjectGeneralSettingsPage.stories.tsx
+++ b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/settings/ProjectGeneralSettingsPage.stories.tsx
@@ -47,6 +47,7 @@ function Story(props: { isOwnerAccount: boolean }) {
             data: {
               secret: `sk_${new Array(86).fill("x").join("")}`,
               secretMasked: "sk_123...4567",
+              secretHash: "sk_123...4567",
             },
           };
         }}
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/settings/ProjectGeneralSettingsPage.tsx b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/settings/ProjectGeneralSettingsPage.tsx
index 5446c232d2f..8a55ee8f95e 100644
--- a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/settings/ProjectGeneralSettingsPage.tsx
+++ b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/settings/ProjectGeneralSettingsPage.tsx
@@ -135,8 +135,7 @@ export function ProjectGeneralSettingsPage(props: {
       project={props.project}
       rotateSecretKey={async () => {
         return rotateSecretKeyClient({
-          projectId: props.project.id,
-          teamId: props.project.teamId,
+          project: props.project,
         });
       }}
       showNebulaSettings={props.showNebulaSettings}
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/analytics/ftux.client.tsx b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/analytics/ftux.client.tsx
index 01435e37191..dca92156fd0 100644
--- a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/analytics/ftux.client.tsx
+++ b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/analytics/ftux.client.tsx
@@ -1,6 +1,6 @@
 "use client";
 import Link from "next/link";
-import { useMemo, useState } from "react";
+import { useMemo } from "react";
 import type { ThirdwebClient } from "thirdweb";
 import type { Project } from "@/api/projects";
 import { type Step, StepsCard } from "@/components/blocks/StepsCard";
@@ -9,7 +9,6 @@ import { CreateVaultAccountButton } from "../../vault/components/create-vault-ac
 import CreateServerWallet from "../server-wallets/components/create-server-wallet.client";
 import type { Wallet } from "../server-wallets/wallet-table/types";
 import { SendTestTransaction } from "./send-test-tx.client";
-import { deleteUserAccessToken } from "./utils";
 
 interface Props {
   managementAccessToken: string | undefined;
@@ -19,27 +18,12 @@ interface Props {
   teamSlug: string;
   testTxWithWallet?: string | undefined;
   client: ThirdwebClient;
+  isManagedVault: boolean;
 }
 
 export const EngineChecklist: React.FC<Props> = (props) => {
-  const [userAccessToken, setUserAccessToken] = useState<string | undefined>();
-
   const finalSteps = useMemo(() => {
     const steps: Step[] = [];
-    steps.push({
-      children: (
-        <CreateVaultAccountStep
-          onUserAccessTokenCreated={(token) => setUserAccessToken(token)}
-          project={props.project}
-          teamSlug={props.teamSlug}
-        />
-      ),
-      completed: !!props.managementAccessToken,
-      description:
-        "Vault is thirdweb's key management system. It allows you to create secure server wallets and manage access tokens.",
-      showCompletedChildren: false,
-      title: "Create a Vault Admin Account",
-    });
     steps.push({
       children: (
         <CreateServerWalletStep
@@ -48,7 +32,7 @@ export const EngineChecklist: React.FC<Props> = (props) => {
           teamSlug={props.teamSlug}
         />
       ),
-      completed: props.wallets.length > 0,
+      completed: props.wallets.length > 0 || props.hasTransactions,
       description:
         "Server wallets are smart wallets, they don't require any gas funds to send transactions.",
       showCompletedChildren: false,
@@ -58,10 +42,10 @@ export const EngineChecklist: React.FC<Props> = (props) => {
     steps.push({
       children: (
         <SendTestTransaction
+          isManagedVault={props.isManagedVault}
           client={props.client}
           project={props.project}
           teamSlug={props.teamSlug}
-          userAccessToken={userAccessToken}
           wallets={props.wallets}
         />
       ),
@@ -78,9 +62,9 @@ export const EngineChecklist: React.FC<Props> = (props) => {
     props.project,
     props.wallets,
     props.hasTransactions,
-    userAccessToken,
     props.teamSlug,
     props.client,
+    props.isManagedVault,
   ]);
 
   const isComplete = useMemo(
@@ -91,10 +75,10 @@ export const EngineChecklist: React.FC<Props> = (props) => {
   if (props.testTxWithWallet) {
     return (
       <SendTestTransaction
+        isManagedVault={props.isManagedVault}
         client={props.client}
         project={props.project}
         teamSlug={props.teamSlug}
-        userAccessToken={userAccessToken}
         walletId={props.testTxWithWallet}
         wallets={props.wallets}
       />
@@ -102,8 +86,6 @@ export const EngineChecklist: React.FC<Props> = (props) => {
   }
 
   if (finalSteps.length === 0 || isComplete) {
-    // clear token from local storage after FTUX is complete
-    deleteUserAccessToken(props.project.id);
     return null;
   }
   return (
@@ -122,10 +104,7 @@ function CreateVaultAccountStep(props: {
 }) {
   return (
     <div className="mt-4 flex flex-row gap-4">
-      <CreateVaultAccountButton
-        onUserAccessTokenCreated={props.onUserAccessTokenCreated}
-        project={props.project}
-      />
+      <CreateVaultAccountButton project={props.project} />
       <Button asChild variant="outline">
         <Link
           href="https://portal.thirdweb.com/vault"
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/analytics/send-test-tx.client.tsx b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/analytics/send-test-tx.client.tsx
index a5434cd227b..701ad1e66d6 100644
--- a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/analytics/send-test-tx.client.tsx
+++ b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/analytics/send-test-tx.client.tsx
@@ -11,7 +11,6 @@ import { engineCloudProxy } from "@/actions/proxies";
 import type { Project } from "@/api/projects";
 import { SingleNetworkSelector } from "@/components/blocks/NetworkSelectors";
 import { Button } from "@/components/ui/button";
-import { CopyTextButton } from "@/components/ui/CopyTextButton";
 import { Input } from "@/components/ui/input";
 import {
   Select,
@@ -24,10 +23,9 @@ import { useAllChainsData } from "@/hooks/chains/allChains";
 import { useDashboardRouter } from "@/lib/DashboardRouter";
 import type { Wallet } from "../server-wallets/wallet-table/types";
 import { SmartAccountCell } from "../server-wallets/wallet-table/wallet-table-ui.client";
-import { deleteUserAccessToken, getUserAccessToken } from "./utils";
 
 const formSchema = z.object({
-  accessToken: z.string().min(1, "Access token is required"),
+  secretKey: z.string().min(1, "Secret key is required"),
   chainId: z.number(),
   walletIndex: z.string(),
 });
@@ -38,9 +36,9 @@ export function SendTestTransaction(props: {
   wallets?: Wallet[];
   project: Project;
   teamSlug: string;
-  userAccessToken?: string;
   expanded?: boolean;
   walletId?: string;
+  isManagedVault: boolean;
   client: ThirdwebClient;
 }) {
   const queryClient = useQueryClient();
@@ -49,12 +47,9 @@ export function SendTestTransaction(props: {
 
   const chainsQuery = useAllChainsData();
 
-  const userAccessToken =
-    props.userAccessToken ?? getUserAccessToken(props.project.id) ?? "";
-
   const form = useForm<FormValues>({
     defaultValues: {
-      accessToken: userAccessToken,
+      secretKey: "",
       chainId: 84532,
       walletIndex:
         props.wallets && props.walletId
@@ -73,7 +68,7 @@ export function SendTestTransaction(props: {
   const sendDummyTxMutation = useMutation({
     mutationFn: async (args: {
       walletAddress: string;
-      accessToken: string;
+      secretKey: string;
       chainId: number;
     }) => {
       const response = await engineCloudProxy({
@@ -93,7 +88,9 @@ export function SendTestTransaction(props: {
           "Content-Type": "application/json",
           "x-client-id": props.project.publishableKey,
           "x-team-id": props.project.teamId,
-          "x-vault-access-token": args.accessToken,
+          ...(props.isManagedVault
+            ? { "x-secret-key": args.secretKey }
+            : { "x-vault-access-token": args.secretKey }),
         },
         method: "POST",
         pathname: "/v1/write/transaction",
@@ -123,7 +120,7 @@ export function SendTestTransaction(props: {
 
   const onSubmit = async (data: FormValues) => {
     await sendDummyTxMutation.mutateAsync({
-      accessToken: data.accessToken,
+      secretKey: data.secretKey,
       chainId: data.chainId,
       walletAddress: selectedWallet.address,
     });
@@ -141,44 +138,39 @@ export function SendTestTransaction(props: {
         )}
         <p className="flex items-center gap-2 text-sm text-warning-text">
           <LockIcon className="h-4 w-4" />
-          {userAccessToken
-            ? "Copy your Vault access token, you'll need it for every HTTP call to Engine."
-            : "Every wallet action requires your Vault access token."}
+          Every server wallet action requires your{" "}
+          {props.isManagedVault ? "project secret key" : "vault access token"}.
         </p>
         <div className="h-4" />
         {/* Responsive container */}
         <div className="flex flex-col gap-2 md:flex-row md:items-end md:gap-2">
           <div className="flex-grow">
             <div className="flex flex-col gap-2">
-              <p className="text-sm">Vault Access Token</p>
-              {userAccessToken ? (
-                <div className="flex flex-col gap-2 ">
-                  <CopyTextButton
-                    className="!h-auto w-full justify-between bg-background px-3 py-3 font-mono text-xs"
-                    copyIconPosition="right"
-                    textToCopy={userAccessToken}
-                    textToShow={userAccessToken}
-                    tooltip="Copy Vault Access Token"
-                  />
-                  <p className="text-muted-foreground text-xs">
-                    This is a project-wide access token to access your server
-                    wallets. You can create more access tokens using your admin
-                    key, with granular scopes and permissions.
-                  </p>
-                </div>
-              ) : (
-                <Input
-                  placeholder="vt_act_1234....ABCD"
-                  type={userAccessToken ? "text" : "password"}
-                  {...form.register("accessToken")}
-                  className="text-xs"
-                  disabled={isLoading}
-                />
-              )}
+              <p className="text-sm">
+                {props.isManagedVault
+                  ? "Project Secret Key"
+                  : "Vault Access Token"}
+              </p>
+              <Input
+                placeholder={
+                  props.isManagedVault
+                    ? "Enter your project secret key"
+                    : "Enter your vault access token"
+                }
+                type={"password"}
+                {...form.register("secretKey")}
+                className="text-xs"
+                disabled={isLoading}
+              />
+              <p className="text-muted-foreground text-xs">
+                {props.isManagedVault
+                  ? "Your project secret key was generated when you created your project. If you lost it, you can regenerate one in the project settings."
+                  : "Your vault access token was generated when you created your vault. If you lost it, you can regenerate one in the vault settings."}
+              </p>
             </div>
           </div>
         </div>
-        <div className="h-4" />
+        <div className="h-6" />
         {/* Wallet Selector */}
         <div className="flex flex-col gap-2">
           <div className="flex flex-col gap-2 md:flex-row md:items-end md:gap-2">
@@ -268,8 +260,6 @@ export function SendTestTransaction(props: {
                 } else {
                   router.refresh();
                 }
-                // clear token from local storage after FTUX is complete
-                deleteUserAccessToken(props.project.id);
               }}
               variant="primary"
             >
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/analytics/tx-table/tx-table-ui.tsx b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/analytics/tx-table/tx-table-ui.tsx
index 2f7c7aba132..c6310bcd9d9 100644
--- a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/analytics/tx-table/tx-table-ui.tsx
+++ b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/analytics/tx-table/tx-table-ui.tsx
@@ -64,7 +64,6 @@ export function TransactionsTableUI(props: {
 
   const pageSize = 10;
   const transactionsQuery = useQuery({
-    enabled: !!props.wallets && props.wallets.length > 0,
     placeholderData: keepPreviousData,
     queryFn: () => props.getData({ page, status }),
     queryKey: ["transactions", props.project.id, page, status],
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/analytics/utils.ts b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/analytics/utils.ts
deleted file mode 100644
index a66a7e79469..00000000000
--- a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/analytics/utils.ts
+++ /dev/null
@@ -1,21 +0,0 @@
-export function storeUserAccessToken(projectId: string, accessToken: string) {
-  localStorage.setItem(
-    `thirdweb:engine-cloud-user-access-token-${projectId}`,
-    accessToken,
-  );
-}
-
-export function getUserAccessToken(projectId: string) {
-  if (typeof localStorage === "undefined") {
-    return null;
-  }
-  return localStorage.getItem(
-    `thirdweb:engine-cloud-user-access-token-${projectId}`,
-  );
-}
-
-export function deleteUserAccessToken(projectId: string) {
-  localStorage.removeItem(
-    `thirdweb:engine-cloud-user-access-token-${projectId}`,
-  );
-}
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts
index c740c125ab0..f83e7944617 100644
--- a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts
+++ b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts
@@ -1,8 +1,11 @@
 "use client";
 
+import { encrypt } from "@thirdweb-dev/service-utils";
 import {
   createAccessToken,
+  createServiceAccount,
   createVaultClient,
+  rotateServiceAccount,
   type VaultClient,
 } from "@thirdweb-dev/vault-sdk";
 import type { Project } from "@/api/projects";
@@ -27,6 +30,183 @@ export async function initVaultClient() {
   return vc;
 }
 
+export async function createVaultAccountAndAccessToken(props: {
+  project: Project;
+  projectSecretKey?: string;
+  projectSecretHash?: string;
+}) {
+  try {
+    const vaultClient = await initVaultClient();
+
+    const service = props.project.services.find(
+      (service) => service.name === "engineCloud",
+    );
+    const storedRotationCode = service?.rotationCode;
+    const storedEncryptedAdminKey = service?.encryptedAdminKey;
+
+    let adminKey: string | null = null;
+    let rotationCode: string | null = null;
+
+    if (storedRotationCode && storedEncryptedAdminKey) {
+      // if the project has a managed vault admin key, rotate it
+      const rotateServiceAccountRes = await rotateServiceAccount({
+        client: vaultClient,
+        request: {
+          auth: {
+            rotationCode: storedRotationCode,
+          },
+        },
+      });
+      if (rotateServiceAccountRes.error) {
+        throw new Error(rotateServiceAccountRes.error.message);
+      }
+      adminKey = rotateServiceAccountRes.data.newAdminKey;
+      rotationCode = rotateServiceAccountRes.data.newRotationCode;
+    } else {
+      // otherwise create a new service account
+      const serviceAccountResult = await createServiceAccount({
+        client: vaultClient,
+        request: {
+          options: {
+            metadata: {
+              projectId: props.project.id,
+              purpose: "Thirdweb Project Server Wallet Service Account",
+              teamId: props.project.teamId,
+            },
+          },
+        },
+      });
+      if (serviceAccountResult.success === false) {
+        throw new Error(
+          `Failed to create service account: ${serviceAccountResult.error}`,
+        );
+      }
+      const serviceAccount = serviceAccountResult.data;
+      adminKey = serviceAccount.adminKey;
+      rotationCode = serviceAccount.rotationCode;
+    }
+
+    const { managementToken, walletToken } =
+      await createAndEncryptVaultAccessTokens({
+        project: props.project,
+        projectSecretKey: props.projectSecretKey,
+        projectSecretHash: props.projectSecretHash,
+        vaultClient,
+        adminKey,
+        rotationCode,
+      });
+
+    return {
+      adminKey,
+      managementToken,
+      walletToken,
+    };
+  } catch (error) {
+    throw new Error(
+      `Failed to create vault account and access token: ${error}`,
+    );
+  }
+}
+
+async function createAndEncryptVaultAccessTokens(props: {
+  project: Project;
+  vaultClient: VaultClient;
+  projectSecretKey?: string;
+  projectSecretHash?: string;
+  adminKey: string;
+  rotationCode: string;
+}) {
+  const { project, projectSecretKey, vaultClient, adminKey, rotationCode } =
+    props;
+
+  const [managementTokenResult, walletTokenResult] = await Promise.all([
+    createManagementAccessToken({ project, adminKey, vaultClient }),
+    createWalletAccessToken({ project, adminKey, vaultClient }),
+  ]);
+
+  if (!managementTokenResult.success) {
+    throw new Error(
+      `Failed to create management token: ${managementTokenResult.error}`,
+    );
+  }
+
+  if (!walletTokenResult.success) {
+    throw new Error(
+      `Failed to create wallet token: ${walletTokenResult.error}`,
+    );
+  }
+
+  const managementToken = managementTokenResult.data;
+  const walletToken = walletTokenResult.data;
+
+  if (projectSecretKey) {
+    // verify that the project secret key is valid
+    const projectSecretKeyHash = await hashSecretKey(projectSecretKey);
+    const secretKeysHashed = [
+      ...project.secretKeys,
+      // for newly rotated secret keys, we don't have the secret key in the project secret keys yet
+      ...(props.projectSecretHash ? [{ hash: props.projectSecretHash }] : []),
+    ];
+    if (!secretKeysHashed.some((key) => key?.hash === projectSecretKeyHash)) {
+      throw new Error("Invalid project secret key");
+    }
+
+    // encrypt admin key and wallet token with project secret key
+    const [encryptedAdminKey, encryptedWalletAccessToken] = await Promise.all([
+      encrypt(adminKey, projectSecretKey),
+      encrypt(walletToken.accessToken, projectSecretKey),
+    ]);
+
+    await updateProjectClient(
+      {
+        projectId: props.project.id,
+        teamId: props.project.teamId,
+      },
+      {
+        services: [
+          ...props.project.services,
+          {
+            name: "engineCloud",
+            actions: [],
+            managementAccessToken: managementToken.accessToken,
+            maskedAdminKey: maskSecret(adminKey),
+            encryptedAdminKey,
+            encryptedWalletAccessToken,
+            rotationCode: rotationCode,
+          },
+        ],
+      },
+    );
+  } else {
+    // no secret key, only store the management token, remove any encrypted keys
+    await updateProjectClient(
+      {
+        projectId: props.project.id,
+        teamId: props.project.teamId,
+      },
+      {
+        services: [
+          ...props.project.services,
+          {
+            name: "engineCloud",
+            actions: [],
+            managementAccessToken: managementToken.accessToken,
+            maskedAdminKey: maskSecret(adminKey),
+            encryptedAdminKey: null,
+            encryptedWalletAccessToken: null,
+            rotationCode: rotationCode,
+          },
+        ],
+      },
+    );
+  }
+
+  return {
+    managementToken,
+    walletToken,
+  };
+}
+
 export async function createWalletAccessToken(props: {
   project: Project;
   adminKey: string;
@@ -243,13 +423,12 @@ export async function createWalletAccessToken(props: {
   });
 }
 
-export async function createManagementAccessToken(props: {
+async function createManagementAccessToken(props: {
   project: Project;
   adminKey: string;
-  rotationCode: string;
   vaultClient: VaultClient;
 }) {
-  const res = await createAccessToken({
+  return createAccessToken({
     client: props.vaultClient,
     request: {
       auth: {
@@ -333,31 +512,26 @@ export async function createManagementAccessToken(props: {
       },
     },
   });
-  if (res.success) {
-    const data = res.data;
-    await updateProjectClient(
-      {
-        projectId: props.project.id,
-        teamId: props.project.teamId,
-      },
-      {
-        services: [
-          ...props.project.services,
-          {
-            actions: [],
-            managementAccessToken: data.accessToken,
-            maskedAdminKey: maskSecret(props.adminKey),
-            name: "engineCloud",
-            rotationCode: props.rotationCode,
-          },
-        ],
-      },
-    );
-    return res;
-  }
-  throw new Error(`Failed to create management access token: ${res.error}`);
 }
 
 export function maskSecret(secret: string) {
   return `${secret.substring(0, 11)}...${secret.substring(secret.length - 5)}`;
 }
+
+async function hashSecretKey(secretKey: string) {
+  if (typeof window === "undefined" || !window.crypto?.subtle) {
+    throw new Error(
+      "This function can only be used in the browser environment with Web Crypto API support.",
+    );
+  }
+  const encoder = new TextEncoder();
+  const data = encoder.encode(secretKey);
+  const hashBuffer = await window.crypto.subtle.digest("SHA-256", data);
+  return bufferToHex(hashBuffer);
+}
+
+function bufferToHex(buffer: ArrayBuffer) {
+  return [...new Uint8Array(buffer)]
+    .map((x) => x.toString(16).padStart(2, "0"))
+    .join("");
+}
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/page.tsx b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/page.tsx
index b146cf23929..e508574f137 100644
--- a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/page.tsx
+++ b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/page.tsx
@@ -7,10 +7,7 @@ import { getClientThirdwebClient } from "@/constants/thirdweb-client.client";
 import { TransactionsAnalyticsPageContent } from "./analytics/analytics-page";
 import { EngineChecklist } from "./analytics/ftux.client";
 import { TransactionAnalyticsSummary } from "./analytics/summary";
-import {
-  getTransactionAnalyticsSummary,
-  type TransactionSummaryData,
-} from "./lib/analytics";
+import { getTransactionAnalyticsSummary } from "./lib/analytics";
 import type { Wallet } from "./server-wallets/wallet-table/types";
 
 export default async function TransactionsAnalyticsPage(props: {
@@ -53,6 +50,7 @@ export default async function TransactionsAnalyticsPage(props: {
 
   const managementAccessToken =
     projectEngineCloudService?.managementAccessToken;
+  const isManagedVault = !!projectEngineCloudService?.encryptedAdminKey;
 
   const eoas = managementAccessToken
     ? await listEoas({
@@ -68,14 +66,10 @@ export default async function TransactionsAnalyticsPage(props: {
 
   const wallets = eoas.data?.items as Wallet[] | undefined;
 
-  let initialData: TransactionSummaryData | undefined;
-  if (wallets && wallets.length > 0) {
-    const summary = await getTransactionAnalyticsSummary({
-      clientId: project.publishableKey,
-      teamId: project.teamId,
-    }).catch(() => undefined);
-    initialData = summary;
-  }
+  const initialData = await getTransactionAnalyticsSummary({
+    clientId: project.publishableKey,
+    teamId: project.teamId,
+  }).catch(() => undefined);
   const hasTransactions = initialData ? initialData.totalCount > 0 : false;
 
   const client = getClientThirdwebClient({
@@ -86,6 +80,7 @@ export default async function TransactionsAnalyticsPage(props: {
   return (
     <div className="flex grow flex-col">
       <EngineChecklist
+        isManagedVault={isManagedVault}
         client={client}
         hasTransactions={hasTransactions}
         managementAccessToken={managementAccessToken ?? undefined}
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/server-wallets/components/try-it-out.tsx b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/server-wallets/components/try-it-out.tsx
index f31fb354299..6803b91a94d 100644
--- a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/server-wallets/components/try-it-out.tsx
+++ b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/server-wallets/components/try-it-out.tsx
@@ -203,7 +203,6 @@ const client = createThirdwebClient({
 const serverWallet = Engine.serverWallet({
   client,
   address: "<your-server-wallet-address>",
-  vaultAccessToken: "<your-vault-access-token>",
 });
 
 // Prepare the transaction
@@ -241,7 +240,6 @@ const curlExample = () => `\
 curl -X POST "${NEXT_PUBLIC_ENGINE_CLOUD_URL}/v1/write/contract" \\
   -H "Content-Type: application/json" \\
   -H "x-secret-key: <your-project-secret-key>" \\
-  -H "x-vault-access-token: <your-vault-access-token>" \\
   -d '{
     "executionOptions": {
       "from": "<your-server-wallet-address>",
@@ -264,7 +262,6 @@ const response = await fetch(
     headers: {
       "Content-Type": "application/json",
       "x-secret-key": "<your-project-secret-key>",
-      "x-vault-access-token": "<your-vault-access-token>"
     },
     body: JSON.stringify({
       "executionOptions": {
@@ -290,7 +287,6 @@ url = "${NEXT_PUBLIC_ENGINE_CLOUD_URL}/v1/write/contract"
 headers = {
     "Content-Type": "application/json",
     "x-secret-key": "<your-project-secret-key>",
-    "x-vault-access-token": "<your-vault-access-token>"
 }
 payload = {
     "executionOptions": {
@@ -355,7 +351,6 @@ func main() {
 	req, _ := http.NewRequest("POST", url, bytes.NewBuffer(jsonData))
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("x-secret-key", "<your-project-secret-key>")
-	req.Header.Set("x-vault-access-token", "<your-vault-access-token>")
 
 	// Send the request
 	client := &http.Client{}
@@ -408,7 +403,6 @@ class Program
 
         using var httpClient = new HttpClient();
         httpClient.DefaultRequestHeaders.Add("x-secret-key", "<your-project-secret-key>");
-        httpClient.DefaultRequestHeaders.Add("x-vault-access-token", "<your-vault-access-token>");
 
         var response = await httpClient.PostAsync(url, content);
         var responseContent = await response.Content.ReadAsStringAsync();
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/components/create-vault-account.client.tsx b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/components/create-vault-account.client.tsx
index 2a2d50f9810..9a494cf8ca1 100644
--- a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/components/create-vault-account.client.tsx
+++ b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/components/create-vault-account.client.tsx
@@ -1,7 +1,6 @@
 "use client";
 
 import { useMutation } from "@tanstack/react-query";
-import { createServiceAccount } from "@thirdweb-dev/vault-sdk";
 import {
   CheckIcon,
   DownloadIcon,
@@ -21,91 +20,74 @@ import {
   DialogHeader,
   DialogTitle,
 } from "@/components/ui/dialog";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
 import { Spinner } from "@/components/ui/Spinner/Spinner";
 import { useDashboardRouter } from "@/lib/DashboardRouter";
 import { cn } from "@/lib/utils";
-import { storeUserAccessToken } from "../../transactions/analytics/utils";
 import {
-  createManagementAccessToken,
-  createWalletAccessToken,
-  initVaultClient,
+  createVaultAccountAndAccessToken,
   maskSecret,
 } from "../../transactions/lib/vault.client";
 
-export function CreateVaultAccountButton(props: {
-  project: Project;
-  onUserAccessTokenCreated?: (userAccessToken: string) => void;
-}) {
+export function CreateVaultAccountButton(props: { project: Project }) {
+  const [secretKeyModalOpen, setSecretKeyModalOpen] = useState(false);
+  const [secretKey, setSecretKey] = useState("");
   const [modalOpen, setModalOpen] = useState(false);
   const [keysConfirmed, setKeysConfirmed] = useState(false);
   const [keysDownloaded, setKeysDownloaded] = useState(false);
+  const [errorMessage, setErrorMessage] = useState("");
+  const [manageSelfChecked, setManageSelfChecked] = useState(false);
   const router = useDashboardRouter();
 
   const initialiseProjectWithVaultMutation = useMutation({
-    mutationFn: async () => {
+    mutationFn: async (projectSecretKey: string | undefined) => {
       setModalOpen(true);
+      setSecretKeyModalOpen(false);
 
-      const vaultClient = await initVaultClient();
-
-      const serviceAccount = await createServiceAccount({
-        client: vaultClient,
-        request: {
-          options: {
-            metadata: {
-              projectId: props.project.id,
-              purpose: "Thirdweb Project Server Wallet Service Account",
-              teamId: props.project.teamId,
-            },
-          },
-        },
-      });
-
-      if (!serviceAccount.success) {
-        throw new Error("Failed to create service account");
-      }
-
-      const managementAccessTokenPromise = createManagementAccessToken({
-        adminKey: serviceAccount.data.adminKey,
+      const result = await createVaultAccountAndAccessToken({
         project: props.project,
-        rotationCode: serviceAccount.data.rotationCode,
-        vaultClient,
+        projectSecretKey,
       });
 
-      const userAccesTokenPromise = createWalletAccessToken({
-        adminKey: serviceAccount.data.adminKey,
-        project: props.project,
-        vaultClient,
-      });
-
-      const [userAccessTokenRes, managementAccessTokenRes] = await Promise.all([
-        userAccesTokenPromise,
-        managementAccessTokenPromise,
-      ]);
-
-      if (!managementAccessTokenRes.success || !userAccessTokenRes.success) {
-        throw new Error("Failed to create access token");
-      }
-
-      // save in local storage in case the user refreshes the page during FTUX
-      storeUserAccessToken(
-        props.project.id,
-        userAccessTokenRes.data.accessToken,
-      );
-      props.onUserAccessTokenCreated?.(userAccessTokenRes.data.accessToken);
-
-      return {
-        serviceAccount: serviceAccount.data,
-        userAccessToken: userAccessTokenRes.data,
-      };
+      return result;
     },
     onError: (error) => {
-      toast.error(error.message);
+      setErrorMessage(error.message);
       setModalOpen(false);
     },
   });
 
-  const handleCreateServerWallet = async () => {
-    await initialiseProjectWithVaultMutation.mutateAsync();
+  const handleInitializeVault = async () => {
+    setSecretKeyModalOpen(true);
+    setErrorMessage("");
+    setSecretKey("");
+    setManageSelfChecked(false);
+  };
+
+  const handleSecretKeySubmit = async () => {
+    if (!manageSelfChecked && !secretKey.trim()) {
+      setErrorMessage(
+        "Please enter your project secret key or check the option to manage keys yourself",
+      );
+      return;
+    }
+
+    try {
+      setErrorMessage("");
+      await initialiseProjectWithVaultMutation.mutateAsync(
+        manageSelfChecked ? undefined : secretKey,
+      );
+    } catch (error) {
+      // Error will be handled by the mutation's onError
+    }
+  };
+
+  const handleCancelSecretKey = () => {
+    setSecretKeyModalOpen(false);
+    setSecretKey("");
+    setErrorMessage("");
+    setManageSelfChecked(false);
   };
 
   const handleDownloadKeys = () => {
@@ -113,7 +95,7 @@ export function CreateVaultAccountButton(props: {
       return;
     }
 
-    const fileContent = `Project:\n${props.project.name} (${props.project.publishableKey})\n\nVault Admin Key:\n${initialiseProjectWithVaultMutation.data.serviceAccount.adminKey}\n\nVault Access Token:\n${initialiseProjectWithVaultMutation.data.userAccessToken.accessToken}\n`;
+    const fileContent = `Project:\n${props.project.name} (${props.project.publishableKey})\n\nVault Admin Key:\n${initialiseProjectWithVaultMutation.data.adminKey}\n\nVault Access Token:\n${initialiseProjectWithVaultMutation.data.walletToken.accessToken}\n`;
     const blob = new Blob([fileContent], { type: "text/plain;charset=utf-8" });
     const url = URL.createObjectURL(blob);
     const link = document.createElement("a");
@@ -147,11 +129,11 @@ export function CreateVaultAccountButton(props: {
   const isLoading = initialiseProjectWithVaultMutation.isPending;
 
   return (
-    <>
+    <div>
       <Button
         className="flex flex-row items-center gap-2"
         disabled={isLoading}
-        onClick={handleCreateServerWallet}
+        onClick={handleInitializeVault}
         variant={"primary"}
       >
         {isLoading ? (
@@ -162,6 +144,93 @@ export function CreateVaultAccountButton(props: {
         {"Create Vault Admin Account"}
       </Button>
 
+      {/* Secret Key Input Modal */}
+      <Dialog
+        modal={true}
+        onOpenChange={handleCancelSecretKey}
+        open={secretKeyModalOpen}
+      >
+        <DialogContent className="overflow-hidden p-0">
+          <DialogHeader className="pt-6 px-6">
+            <DialogTitle>Create Your Vault</DialogTitle>
+          </DialogHeader>
+
+          <div className="space-y-6 p-6 pt-0">
+            <div className="space-y-3">
+              <Label htmlFor="secretKey">
+                Let thirdweb manage your Vault keys for you
+              </Label>
+              <p className="text-muted-foreground text-sm">
+                Lets you use your project secret key to access your vault like
+                any other thirdweb service (recommended).
+              </p>
+              <Input
+                id="secretKey"
+                type="password"
+                placeholder="Enter your project secret key"
+                value={secretKey}
+                onChange={(e) => setSecretKey(e.target.value)}
+                disabled={
+                  initialiseProjectWithVaultMutation.isPending ||
+                  manageSelfChecked
+                }
+              />
+              <p className="text-muted-foreground text-xs">
+                Your project secret key was generated when you created your
+                project. If you lost it, you can regenerate one in your project
+                settings.
+              </p>
+            </div>
+
+            <div className="flex flex-col gap-2">
+              <hr className="mb-4" />
+              <CheckboxWithLabel className="text-foreground">
+                <Checkbox
+                  checked={manageSelfChecked}
+                  onCheckedChange={(v) => setManageSelfChecked(!!v)}
+                  disabled={initialiseProjectWithVaultMutation.isPending}
+                />
+                I want to manage my Vault keys myself (advanced)
+              </CheckboxWithLabel>
+            </div>
+
+            {errorMessage && (
+              <Alert variant="destructive">
+                <AlertDescription>{errorMessage}</AlertDescription>
+              </Alert>
+            )}
+          </div>
+
+          <div className="flex justify-end gap-3 border-t bg-card px-6 py-4">
+            <Button
+              onClick={handleCancelSecretKey}
+              variant="outline"
+              disabled={initialiseProjectWithVaultMutation.isPending}
+            >
+              Cancel
+            </Button>
+            <Button
+              onClick={handleSecretKeySubmit}
+              variant="primary"
+              disabled={
+                (!secretKey.trim() && !manageSelfChecked) ||
+                initialiseProjectWithVaultMutation.isPending
+              }
+            >
+              {initialiseProjectWithVaultMutation.isPending ? (
+                <>
+                  <Loader2Icon className="mr-2 size-4 animate-spin" />
+                  Creating vault...
+                </>
+              ) : (
+                "Create vault"
+              )}
+            </Button>
+          </div>
+        </DialogContent>
+      </Dialog>
+
+      {/* Keys Display Modal */}
       <Dialog modal={true} onOpenChange={handleCloseModal} open={modalOpen}>
         <DialogContent
           className="overflow-hidden p-0"
@@ -197,12 +266,10 @@ export function CreateVaultAccountButton(props: {
                         className="!h-auto w-full justify-between bg-background px-3 py-3 font-mono text-xs"
                         copyIconPosition="right"
                         textToCopy={
-                          initialiseProjectWithVaultMutation.data.serviceAccount
-                            .adminKey
+                          initialiseProjectWithVaultMutation.data.adminKey
                         }
                         textToShow={maskSecret(
-                          initialiseProjectWithVaultMutation.data.serviceAccount
-                            .adminKey,
+                          initialiseProjectWithVaultMutation.data.adminKey,
                         )}
                         tooltip="Copy Admin Key"
                       />
@@ -212,32 +279,6 @@ export function CreateVaultAccountButton(props: {
                       </p>
                     </div>
                   </div>
-
-                  {/* <div>
-                    <h3 className="mb-2 font-medium text-sm">
-                      Vault Access Token
-                    </h3>
-                    <div className="flex flex-col gap-2 ">
-                      <CopyTextButton
-                        textToCopy={
-                          initialiseProjectWithVaultMutation.data
-                            .userAccessToken.accessToken
-                        }
-                        className="!h-auto w-full justify-between bg-background px-3 py-3 font-mono text-xs"
-                        textToShow={maskSecret(
-                          initialiseProjectWithVaultMutation.data
-                            .userAccessToken.accessToken,
-                        )}
-                        copyIconPosition="right"
-                        tooltip="Copy Vault Access Token"
-                      />
-                      <p className="text-muted-foreground text-xs">
-                        This access token is used to sign transactions and
-                        messages from your backend. Can be revoked and recreated
-                        with your admin key.
-                      </p>
-                    </div>
-                  </div> */}
                 </div>
                 <Alert variant="destructive">
                   <AlertTitle>Secure your admin key</AlertTitle>
@@ -285,6 +326,6 @@ export function CreateVaultAccountButton(props: {
           ) : null}
         </DialogContent>
       </Dialog>
-    </>
+    </div>
   );
 }
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/components/key-management.tsx b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/components/key-management.tsx
index f362e3033f6..176f6a99021 100644
--- a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/components/key-management.tsx
+++ b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/components/key-management.tsx
@@ -9,15 +9,17 @@ import RotateAdminKeyButton from "./rotate-admin-key.client";
 export function KeyManagement({
   maskedAdminKey,
   project,
+  isManagedVault,
 }: {
   maskedAdminKey?: string;
   project: Project;
+  isManagedVault: boolean;
 }) {
   return (
     <div className="flex flex-col gap-6">
       {!maskedAdminKey && <CreateVaultAccountAlert project={project} />}
 
-      {maskedAdminKey && (
+      {maskedAdminKey && !isManagedVault && (
         <>
           <div className="flex flex-col gap-6 overflow-hidden rounded-lg border border-border bg-card">
             <div className="flex flex-col p-6">
@@ -37,13 +39,42 @@ export function KeyManagement({
                     {maskedAdminKey}
                   </p>
                 </div>
-                <RotateAdminKeyButton project={project} />
+                <RotateAdminKeyButton
+                  project={project}
+                  isManagedVault={false}
+                />
               </div>
             </div>
           </div>
           <ListAccessTokens project={project} />
         </>
       )}
+
+      {isManagedVault && (
+        <div className="flex flex-col gap-6 overflow-hidden rounded-lg border border-border bg-card">
+          <div className="flex flex-col p-6">
+            <h2 className="font-semibold text-xl tracking-tight">
+              Managed Vault
+            </h2>
+            <p className="text-muted-foreground text-sm">
+              Your vault is currently managed by Thirdweb so you can access it
+              via you project secret key. You can eject and manage your own
+              vault keys at any time. Doing so means you'll need to pass your
+              own vault access token to the transactions API additionally to
+              your project secret key.
+            </p>
+            <div className="h-4" />
+            <div className="flex flex-col gap-3 lg:flex-row lg:items-center">
+              <div className="flex min-w-[300px] flex-row items-center gap-2 rounded-lg border border-border bg-background px-4 py-3 font-mono text-sm">
+                <p className="text-muted-foreground text-sm">
+                  {maskedAdminKey}
+                </p>
+              </div>
+              <RotateAdminKeyButton project={project} isManagedVault={true} />
+            </div>
+          </div>
+        </div>
+      )}
     </div>
   );
 }
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/components/rotate-admin-key.client.tsx b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/components/rotate-admin-key.client.tsx
index 3a4733f3919..473b2a95255 100644
--- a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/components/rotate-admin-key.client.tsx
+++ b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/components/rotate-admin-key.client.tsx
@@ -1,12 +1,12 @@
 "use client";
 
 import { useMutation } from "@tanstack/react-query";
-import { rotateServiceAccount } from "@thirdweb-dev/vault-sdk";
 import {
   CheckIcon,
   CircleAlertIcon,
   DownloadIcon,
   Loader2Icon,
+  LogOutIcon,
   RefreshCcwIcon,
 } from "lucide-react";
 import { useState } from "react";
@@ -27,13 +27,14 @@ import { Spinner } from "@/components/ui/Spinner/Spinner";
 import { useDashboardRouter } from "@/lib/DashboardRouter";
 import { cn } from "@/lib/utils";
 import {
-  createManagementAccessToken,
-  createWalletAccessToken,
-  initVaultClient,
+  createVaultAccountAndAccessToken,
   maskSecret,
 } from "../../transactions/lib/vault.client";
 
-export default function RotateAdminKeyButton(props: { project: Project }) {
+export default function RotateAdminKeyButton(props: {
+  project: Project;
+  isManagedVault: boolean;
+}) {
   const [modalOpen, setModalOpen] = useState(false);
   const [keysConfirmed, setKeysConfirmed] = useState(false);
   const [keysDownloaded, setKeysDownloaded] = useState(false);
@@ -41,55 +42,15 @@ export default function RotateAdminKeyButton(props: { project: Project }) {
 
   const rotateAdminKeyMutation = useMutation({
     mutationFn: async () => {
-      const vaultClient = await initVaultClient();
-      const rotationCode = props.project.services.find(
-        (service) => service.name === "engineCloud",
-      )?.rotationCode;
-
-      if (!rotationCode) {
-        throw new Error("Rotation code not found");
-      }
-
-      const rotateServiceAccountRes = await rotateServiceAccount({
-        client: vaultClient,
-        request: {
-          auth: {
-            rotationCode,
-          },
-        },
-      });
-
-      if (rotateServiceAccountRes.error) {
-        throw new Error(rotateServiceAccountRes.error.message);
-      }
-
-      // need to recreate the management access token with the new admin key
-      const managementAccessTokenPromise = createManagementAccessToken({
-        adminKey: rotateServiceAccountRes.data.newAdminKey,
+      // passing no secret key means we're rotating the admin key and deleting any stored keys
+      const result = await createVaultAccountAndAccessToken({
         project: props.project,
-        rotationCode: rotateServiceAccountRes.data.newRotationCode,
-        vaultClient,
       });
 
-      const userAccesTokenPromise = createWalletAccessToken({
-        adminKey: rotateServiceAccountRes.data.newAdminKey,
-        project: props.project,
-        vaultClient,
-      });
-
-      const [userAccessTokenRes, managementAccessTokenRes] = await Promise.all([
-        userAccesTokenPromise,
-        managementAccessTokenPromise,
-      ]);
-
-      if (!managementAccessTokenRes.success || !userAccessTokenRes.success) {
-        throw new Error("Failed to create access token");
-      }
-
       return {
-        adminKey: rotateServiceAccountRes.data.newAdminKey,
+        adminKey: result.adminKey,
         success: true,
-        userAccessToken: userAccessTokenRes.data,
+        userAccessToken: result.walletToken,
       };
     },
     onError: (error) => {
@@ -144,8 +105,12 @@ export default function RotateAdminKeyButton(props: { project: Project }) {
         variant="outline"
       >
         {isLoading && <Loader2Icon className="size-4 animate-spin" />}
-        {!isLoading && <RefreshCcwIcon className="size-4" />}
-        Rotate Admin Key
+        {!isLoading && props.isManagedVault ? (
+          <LogOutIcon className="size-4" />
+        ) : (
+          <RefreshCcwIcon className="size-4" />
+        )}
+        {props.isManagedVault ? "Eject From Managed Vault" : "Rotate Admin Key"}
       </Button>
 
       <Dialog modal={true} onOpenChange={handleCloseModal} open={modalOpen}>
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/page.tsx b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/page.tsx
index 3869505fc2f..c5f8e95aff4 100644
--- a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/page.tsx
+++ b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/page.tsx
@@ -22,11 +22,13 @@ export default async function VaultPage(props: {
   );
 
   const maskedAdminKey = projectEngineCloudService?.maskedAdminKey;
+  const isManagedVault = !!projectEngineCloudService?.encryptedAdminKey;
 
   return (
     <div className="flex flex-col gap-8">
       <KeyManagement
         maskedAdminKey={maskedAdminKey ?? undefined}
+        isManagedVault={isManagedVault}
         project={project}
       />
     </div>
diff --git a/packages/service-utils/src/core/api.ts b/packages/service-utils/src/core/api.ts
index 368c9707468..672a1fe6f84 100644
--- a/packages/service-utils/src/core/api.ts
+++ b/packages/service-utils/src/core/api.ts
@@ -226,6 +226,8 @@ export type ProjectService =
       maskedAdminKey?: string | null;
       managementAccessToken?: string | null;
       rotationCode?: string | null;
+      encryptedAdminKey?: string | null;
+      encryptedWalletAccessToken?: string | null;
     }
   | ProjectBundlerService
   | ProjectEmbeddedWalletsService;
diff --git a/packages/service-utils/src/core/encryption.ts b/packages/service-utils/src/core/encryption.ts
new file mode 100644
index 00000000000..c4feb4db12d
--- /dev/null
+++ b/packages/service-utils/src/core/encryption.ts
@@ -0,0 +1,96 @@
+export async function encrypt(secret: string, password: string) {
+  // Generate random salt and IV
+  const salt = crypto.getRandomValues(new Uint8Array(16));
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+
+  // Derive key from password using PBKDF2
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(password),
+    "PBKDF2",
+    false,
+    ["deriveBits", "deriveKey"],
+  );
+
+  const key = await crypto.subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt: salt,
+      iterations: 100000,
+      hash: "SHA-256",
+    },
+    keyMaterial,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"],
+  );
+
+  // Encrypt the secret
+  const encodedSecret = new TextEncoder().encode(secret);
+  const encrypted = await crypto.subtle.encrypt(
+    {
+      name: "AES-GCM",
+      iv: iv,
+    },
+    key,
+    encodedSecret,
+  );
+
+  // Combine salt, IV, and encrypted data
+  const result = new Uint8Array(salt.length + iv.length + encrypted.byteLength);
+  result.set(salt, 0);
+  result.set(iv, salt.length);
+  result.set(new Uint8Array(encrypted), salt.length + iv.length);
+
+  // Return as base64 string
+  return btoa(String.fromCharCode(...result));
+}
+
+export async function decrypt(encryptedData: string, password: string) {
+  // Decode base64 string
+  const data = new Uint8Array(
+    atob(encryptedData)
+      .split("")
+      .map((char) => char.charCodeAt(0)),
+  );
+
+  // Extract salt, IV, and encrypted data
+  const salt = data.slice(0, 16);
+  const iv = data.slice(16, 28);
+  const encrypted = data.slice(28);
+
+  // Derive key from password using PBKDF2
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(password),
+    "PBKDF2",
+    false,
+    ["deriveBits", "deriveKey"],
+  );
+
+  const key = await crypto.subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt: salt,
+      iterations: 100000,
+      hash: "SHA-256",
+    },
+    keyMaterial,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"],
+  );
+
+  // Decrypt the data
+  const decrypted = await crypto.subtle.decrypt(
+    {
+      name: "AES-GCM",
+      iv: iv,
+    },
+    key,
+    encrypted,
+  );
+
+  // Return as string
+  return new TextDecoder().decode(decrypted);
+}
diff --git a/packages/service-utils/src/index.ts b/packages/service-utils/src/index.ts
index d32c3d55ff5..78074d711ec 100644
--- a/packages/service-utils/src/index.ts
+++ b/packages/service-utils/src/index.ts
@@ -15,7 +15,7 @@ export type {
 } from "./core/api.js";
 export { fetchTeamAndProject } from "./core/api.js";
 export { authorizeBundleId, authorizeDomain } from "./core/authorize/client.js";
+export { decrypt, encrypt } from "./core/encryption.js";
 export { rateLimit } from "./core/rateLimit/index.js";
-
 export { rateLimitSlidingWindow } from "./core/rateLimit/strategies/sliding-window.js";
 export * from "./core/services.js";
diff --git a/packages/thirdweb/src/engine/server-wallet.ts b/packages/thirdweb/src/engine/server-wallet.ts
index bcd51f9f417..d69405caa8c 100644
--- a/packages/thirdweb/src/engine/server-wallet.ts
+++ b/packages/thirdweb/src/engine/server-wallet.ts
@@ -35,9 +35,10 @@ export type ServerWalletOptions = {
    */
   client: ThirdwebClient;
   /**
-   * The vault access token to use your server wallet.
+   * Optional vault access token to use your server wallet.
+   * If not provided, the server wallet will use the project secret key to authenticate.
    */
-  vaultAccessToken: string;
+  vaultAccessToken?: string;
   /**
    * The server wallet address to use for sending transactions inside engine.
    */
@@ -152,9 +153,11 @@ export function serverWallet(options: ServerWalletOptions): ServerWallet {
   const { client, vaultAccessToken, address, chain, executionOptions } =
     options;
 
-  const headers: HeadersInit = {
-    "x-vault-access-token": vaultAccessToken,
-  };
+  const headers: HeadersInit = vaultAccessToken
+    ? {
+        "x-vault-access-token": vaultAccessToken,
+      }
+    : {};
 
   const getExecutionOptionsWithChainId = (
     chainId: number,