CREDENTIAL VAULT
FOR CONFLUENCE
Stop hiding passwords in plain-text Confluence tables. Credential Vault is a zero-knowledge encrypted password and MFA manager that lives directly on your Confluence pages — no external servers, no extra tools.
Get it on Atlassian Marketplace
View Documentation
AES-GCM-256 Encrypted
Built on Atlassian Forge
30-Day Free TrialSee It In Action
Click any image to expand · swipe or use arrows to browse
First-time vault creation
Lock screen
Unlocked vault
Add-entry modal
Expanded entry
Scan QR Code
Settings
Settings (continued)
Archive
Activity Log
User Settings
Manage TemplatesEverything Your Team Needs
A full credential manager — built for MSPs, runbooks, and shared team accounts.
Zero-Knowledge Encryption
Every credential is encrypted in your browser with AES-GCM-256 before it ever reaches Atlassian's servers. Neither Atlassian nor CowboyMSP can read your data.
Built-In MFA & QR Re-Add
Store TOTP secrets alongside passwords and generate live 6-digit codes — no separate authenticator. Need to move a code to a phone? One-click QR re-add for Authy, Google Authenticator, 1Password, and more.
Pwned Password Check
One-click breach check using the Have I Been Pwned k-anonymity API. Only a 5-character SHA-1 prefix is sent — your password never leaves your browser.
Owner-Based Sharing
Per-page vaults shared across everyone with Confluence page access. A clear owner controls PIN, retention, and exports. Hand-off ownership in one click when staff change.
MSP Templates
12 built-in templates — M365 Admin, AWS, Azure, Windows RDP, Linux SSH, Firewall, Switch, Database, GitHub and more. Add shared team templates or personal-only ones.
Categories, Tags & Search
Owner-managed categories plus freeform per-entry tags. Multi-chip search filters across name, username, URL, category, notes and tags simultaneously.
Password Generator & History
Crypto-random generator (8–99 chars, configurable character classes). The last 5 previous passwords are kept per entry so you can restore an old value with one click.
Archive with Auto-Delete
Soft-delete entries to the Archive, restore at any time. Owners pick a retention window from 7 to 365 days (or Never) — expired entries are auto-purged on next unlock.
CSV Import & Export
Import existing credentials from any CSV with the right columns, or export the whole vault for backup or migration. Every export is recorded in the activity log.
Configurable Auto-Lock
Pick an idle timeout from 1 to 60 minutes. A 60-second countdown banner appears before locking — one click to stay unlocked. Also locks on navigate or refresh.
PIN-Gated Activity Log
The last 2,000 vault events — adds, edits, deletes, archive, restore, exports, PIN changes, ownership transfers — gated behind the vault PIN so only authorised users can read it.
Any Device, Any Network
Credentials live in Atlassian Forge infrastructure — not your browser. Open the page, enter your PIN, and everything loads instantly from anywhere. Light, Dark, or Auto theme.
Simple Pricing
Start free. Upgrade through Atlassian Marketplace when you're ready.
Free Forever
Up to 3 credential entries · every feature included
- AES-GCM-256 encryption
- MFA / TOTP & QR re-add
- Password generator & history
- HIBP breach check
- Tags, categories & search
- Templates (12 built-in)
- Archive with auto-delete
- CSV import & export
- Activity log (last 2,000)
- Ownership & transfer
AES-GCM-256 encryptionUnlimited
$1.50 / user / month · billed via Atlassian · 30-day free trial
- Everything in Free
- Unlimited credential entries
- 30-day free trial
- Billed through Atlassian
- Scales with Confluence seats
- Priority support
No data loss when the trial ends. Existing entries remain viewable, editable, and deletable — only new entries beyond the 3-entry free cap require an active licence.
Security At a Glance
| Property | Detail |
|---|---|
| Encryption | AES-GCM 256-bit, client-side only |
| Key derivation | PBKDF2 · 200,000 iterations · per-vault random salt |
| PIN hash | Salted SHA-256. PIN itself is never stored or transmitted |
| Minimum PIN | 8 characters for new vaults (with a live strength meter) |
| TOTP generation | HMAC-SHA-1 / SHA-256 / SHA-512 via Web Crypto API, in-browser |
| Breach checking | k-anonymity via Have I Been Pwned (5-char SHA-1 prefix only) |
| Storage | Encrypted blobs in Atlassian Forge KV Storage |
| External egress | Manifest allow-lists only api.pwnedpasswords.com |
| Auto-lock | Configurable 1–60 min, with a 60-second pre-lock warning |
| Activity log | PIN-gated read; capped at the most recent 2,000 events |
| Concurrency | Optimistic version checks & stale-PIN detection on save |
| Owner-only writes | PIN change, hard delete, import/export, retention, templates |
| URL allow-list | javascript:, data:, vbscript:, file: are blocked |
| Data scope | Per Confluence page; shared among users with page access |
Documentation & Downloads
Everything you need to get started and support your team.
Online User Guide
Full documentation — setup, features, MFA, templates, archive, ownership, troubleshooting, and FAQ.
User Guide (.docx)
Downloadable Word document — share with your team or include in your runbook.
HELP.md (Markdown)
Raw markdown source — ideal for pasting into Confluence or your own docs site.
End User License Agreement
The full EULA governing use of Credential Vault for Confluence.
Data Processing Addendum
The DPA covering data handling for Credential Vault for Confluence.
Privacy Policy
How CowboyMSP handles data — including the Atlassian Forge app-specific disclosures.
Contact Support
Email [email protected] — we respond to all Marketplace app questions.
Ready to Secure Your Confluence Credentials?
Install free today. Upgrade to unlimited when your team needs it — billed directly through Atlassian.
Talk to Us
Published by CowboyMSP · [email protected] · cowboymsp.com