Credential checkout
Checking out a credential temporarily grants you access to the underlying secret (password, SSH key, or token) stored in a Safe. Every checkout is logged to the audit trail.
Prerequisites
- Access to at least one Safe with the Checkout permission
- A credential stored in that Safe
Checkout procedure
- Log in to the VaultPAM console at app.vaultpam.com.
- Navigate to Safes in the sidebar.
- Select the Safe that contains the credential you need.
- In the credential list, find the credential and click Check Out.
- If an approval workflow is configured for this Safe, your request is sent to the approver. Wait for approval before proceeding.
- Once approved (or if no approval is required), the credential is revealed. Copy it to your clipboard or use it in the launched session.
- When you have finished, return to the Safe and click Check In next to the credential.
Success state: The credential status changes from Checked out back to Available. A check-in event appears in the audit log.
What happens if you do not check in
Credentials are automatically checked in when:
- The associated session ends (if launched via VaultPAM)
- The checkout timeout expires (default: 1 hour; configurable per Safe)
- An Org Admin forces a check-in from Admin > Active checkouts
Automatic check-in is logged as a system event in the audit trail.
Do not share checked-out credentials
Each checkout is personally attributed in the audit trail. Sharing a checked-out credential with another user violates the audit chain and may constitute a compliance violation under NIS2 Article 21 and GDPR Art. 32. Always use separate checkouts for separate users.