Fence Docs

API key vault for teams. Encrypted storage, scoped tokens, rotation, and audit log.

Overview

API key vault for teams. Encrypted storage, scoped tokens, rotation, and audit log. License: BSL 1.1. Default port: 8770.

Part of the Stockyard family of developer tools. See the product page →

Install

curl -fsSL https://stockyard.dev/fence/install.sh | sh

Or download a release binary from GitHub Releases.

Quickstart

# Install
curl -fsSL https://stockyard.dev/fence/install.sh | sh

# Generate encryption key
export ENC_KEY=$(openssl rand -hex 32)

# Run
FENCE_ADMIN_KEY=secret FENCE_ENCRYPTION_KEY=$ENC_KEY fence

# Create vault + store key
curl -s -X POST http://localhost:8770/api/vaults \
  -H 'Authorization: Bearer secret' -d '{"name":"prod"}'

curl -s -X POST http://localhost:8770/api/vaults/{vault_id}/keys \
  -H 'Authorization: Bearer secret' \
  -d '{"name":"openai","value":"sk-...","provider":"openai"}'

# Issue token to a team member
curl -s -X POST http://localhost:8770/api/vaults/{vault_id}/tokens \
  -H 'Authorization: Bearer secret' \
  -d '{"member_id":"{mid}","name":"alice"}'
# Save the fence_... token — shown only once

# Team member resolves key at runtime
curl -s http://localhost:8770/api/resolve/openai \
  -H 'Authorization: Bearer fence_...'

Environment Variables

Variable	Description	Default
PORT	HTTP listen port	8770
DATA_DIR	SQLite data directory	./data
FENCE_ADMIN_KEY	Admin key (required)	required
FENCE_ENCRYPTION_KEY	32-byte hex AES key. Derives from admin key if unset.

API Reference

GET/api/vaults

List vaults (admin)

POST/api/vaults

Create vault (admin)

POST/api/vaults/{id}/keys

Store an encrypted key (admin)

POST/api/vaults/{id}/keys/{kid}/rotate

Rotate a key value (admin)

GET/api/vaults/{id}/members

List vault members (admin)

POST/api/vaults/{id}/members

Add a member (admin)

POST/api/vaults/{id}/tokens

Issue a member token (admin)

DELETE/api/vaults/{id}/tokens/{tid}

Revoke a token (admin)

GET/api/vaults/{id}/audit

Access log (admin)

GET/api/resolve/{name}

Resolve key by name (token auth)

GET/health

Health check

Note — Admin endpoints require Authorization: Bearer <admin-key>. The admin key is set via the environment variable for this tool.

Deployment

Run the binary directly or use the provided Dockerfile. Set DATA_DIR to a persistent volume path. The binary is statically linked with no external dependencies.

docker build -t fence .
docker run -e FENCE_ADMIN_KEY=secret -v /data:/data -p 8770:8770 fence

When to use Stockyard instead

If you're building LLM-powered applications and need request tracing, cost tracking across 16 providers, model routing, prompt management, and team collaboration tools — Stockyard is the full platform. It includes capabilities from across the focused tools family in one binary.