Entry types

Every entry is stored the same way cryptographically, a signed, per-device-encrypted version, but the fields and the autofill behavior depend on the kind. The vault supports 17 entry kinds.

Username/email, password, optional website URLs, and an optional TOTP secret (issuer and account name).

The extension matches a login to a site by its URLs and offers it in the autofill dropdown.
If a TOTP secret is present, the extension fills the current 6-digit code into a one-time-code field on the same or a later step.

Payment card

Cardholder name, card number, expiry, security code, PIN, brand, and billing postal code. The extension recognizes cc-* autocomplete fields and fills them, parsing the expiry into whatever month/year inputs the page uses.

Identity

Personal details for autofilling checkout and sign-up forms: first, middle, and last name; email; phone; date of birth; address (two lines, city, region, postal code, country); organization; nationality; and document type, number, and expiry.

TOTP

A standalone time-based one-time-password seed (RFC 6238): secret, issuer, and account name. A TOTP can live on a login entry (so it fills alongside the password) or stand on its own. The code is always computed locally on your device.

TOTP never reaches the server as a code

The server only ever holds the encrypted seed, like any other field. The rotating 6-digit code is derived on your device at fill time.

Note

Free-form text. No autofill. Useful for software license keys, recovery codes, or any secret that doesn't fit a structured kind.

SSH key

Private key, public key, passphrase, key type, and fingerprint.

Passkey

Stores a WebAuthn resident credential: RP id, RP name, username, display name, credential id, private key, public key, user handle, and sign count. The extension brokers passkey ceremonies so credentials are kept in your vault rather than locked to one device's TPM.

Wi-Fi

SSID, password, security type, and a flag for hidden networks.

Bank account

Bank name, account holder, account number, routing number, IBAN, BIC, branch, and PIN.

API credential

Service name, endpoint, key id, secret, token, and expiry date.

Database

Engine, host, port, database name, username, password, SSL mode, and connection string.

Server

Host, port, protocol, username, password, and root password.

Software license

Product, version, license key, registered name, registered email, purchase date, purchase location, and expiry.

Crypto wallet

Wallet name, type, network, public address, derivation path, seed phrase, private key, and extended public key (xpub).

Email account

Email address, password, IMAP server/port/security, SMTP server/port/security, and SMTP username.

Contact

Name, email, phone, organization, address, relationship, and birthday.

Membership

Organization, member id, tier, join date, expiry, and website URL.

What's stored for every kind

Regardless of kind, the encrypted payload is sealed for each of your recipient devices and signed by the writing device. A small outline (enough to render the vault list) is stored under its own key so the list can render without decrypting every full entry. None of it is readable by the server.