Affinity Design
Agency Guide

Client Credential Vault

Encrypted storage for client-supplied credentials used during onboarding and delivery work

What the Vault Is For

The Client Credential Vault is where sensitive client-provided access details are stored when the agency needs them to complete work. This includes things like domain logins, DNS access, or provider requests tied to delivery.

It is not meant to be a random catch-all password drawer. It exists for real operational handoff inside the platform.

Common Credential Types

TypeWhy it is usedExample
dns_loginThe team needs domain or DNS accessGoDaddy, Namecheap, Cloudflare
domain_requestThe client wants the agency to buy or set up a domainDomain purchase approval
sms_requestThe client needs messaging setup helpTwilio request or setup handoff
email_requestThe client needs email or workspace setup helpGoogle Workspace or mail hosting request

Status Flow

Credentials move through a simple lifecycle:

StatusMeaning
pendingSubmitted by the client and waiting for agency action
in_progressSomeone on the agency team is actively handling it
resolvedThe work is complete
cancelledThe request is no longer needed

Typical flow:

pending -> in_progress -> resolved
pending -> cancelled

How Clients Submit Credentials

In the portal, the client usually submits these details from the part of the workspace tied to the task, such as website, DNS, or communications setup.

Typical flow:

  1. The client opens the related setup area.
  2. They fill in the required credential or request form.
  3. The platform encrypts the payload.
  4. The encrypted record is stored in the vault.

Sensitive payloads are encrypted before storage so the database is not holding plain text secrets.

How Agency Operators Use the Vault

When the agency needs to act:

  1. Open the relevant client and delivery area.
  2. Review the vault item status and metadata.
  3. Access the credential only if it is needed for the task.
  4. Perform the work.
  5. Update the status so the rest of the team knows where it stands.

Keep status updates current. That is what turns the vault from a secret bucket into a usable operations tool.

Do not paste decrypted credentials into chat, docs, tickets, or logs. Use them only long enough to finish the task that requires access.

Security Model

The vault is designed around a few simple rules:

  • credentials are encrypted at rest
  • transport should stay on secure HTTPS routes
  • client access is scoped to that client's own records
  • agency actions are logged
  • sensitive access should stay limited to the people doing the work

Troubleshooting

ProblemWhat to check
Client cannot submit the requestCheck that the client is in the right onboarding or delivery state.
Decryption failsVerify the correct encryption key is available in the environment.
Item stays in pending too longThe agency needs an operator to pick it up and move it forward.
Team is unsure whether work is doneReview the status and audit trail before asking the client again.

Operator Advice

Treat the vault like a controlled handoff tool, not a convenience feature. The goal is to finish the client task with the least possible exposure of sensitive information.

On this page