Deck Vault
By default, Deck encrypts and stores credentials in Deck Vault. Credentials never leave the vault except to authenticate a session, and each set is scoped to a single credential. They are never shared across users, organizations, or sources. Deck Vault is encrypted at rest and in transit. With credentials stored, you get:- Automatic re-authentication. Expired sessions recover without user involvement.
- Persistent credentials. Users link their account once and it works until they revoke access.
- Zero-friction task runs. Scheduled and on-demand tasks authenticate silently.
Removing credentials
To permanently delete credentials from Deck Vault, delete the credential:deleted status. The credential object and its task runs remain queryable, but no new tasks can use it. If the user needs access again, create a new credential.
Choosing an approach
The right choice depends on how your users interact with connected sources and how sensitive the credentials are.| Deck Vault (default) | Terminate after use | |
|---|---|---|
| User experience | Store once, use indefinitely | Re-enter credentials each time |
| Session recovery | Automatic re-authentication | Requires a new credential |
| Operational overhead | Low. Deck manages authentication. | Higher. Your app handles re-linking flows. |
| Best for | Recurring tasks, long-lived integrations | One-time operations, high-sensitivity credentials |