Vault Linking

When you log in on different devices or browsers, each session gets its own credential vault. Vault linking lets you unify these sessions so credentials stored in one are accessible from all.

When You Need This

Vault linking is automatic when you:

Create an API key from your browser session
Authorize an MCP client while logged in

The new grant inherits your session’s vault automatically. No action required.

Vault linking is manual when you:

Log in on a new device before connecting it via MCP
Use different browsers that each have their own login session
Have existing sessions from before you stored credentials

In these cases, your sessions have independent vaults. To share credentials between them, you merge the vaults.

Viewing Your Grants

Click your avatar in the top right
Go to the Grants tab

You’ll see all active Grants:

Column	Description
Label	Session description (browser, location, or custom name)
Type	Login session, API key, or OAuth client
Vault	Which vault this session uses
Created	When the session was created
Last used	Most recent activity

Grants sharing the same vault show the same vault identifier.

Merging Vaults

To share your vault with another session:

Find the target session in your Grants list
Click the ⋮ menu on that session’s row
Select Share vault with this session

This creates an escrow—a secure handoff that only the target session can claim.

What Happens Next

The target session sees an alert banner the next time it loads:

Vault sharing request [Session label] wants to share their vault with this session. Your credentials will be merged. Accept | Decline

Accept — This session adopts the shared vault. Credentials from your old vault are migrated.
Decline — The escrow is cancelled. Vaults remain separate.

Credential Migration

When you accept a vault merge:

Credentials from your old vault are re-encrypted with the shared vault’s key
They’re moved to the shared vault
If both vaults have the same credential, the newer one is kept

Nothing is lost. Your credentials consolidate into the shared vault.

Escrow Expiration

Vault escrows expire after 24 hours. If the target session doesn’t accept in time, you’ll need to initiate the share again.

Common Scenarios

New Phone, Existing Desktop Session

Log in on your phone (creates a new vault)
On your desktop, go to Grants
Find your phone session
Click ⋮ → Share vault with this session
On your phone, accept the vault share

Now both devices access the same credentials.

Multiple Browsers

Same process. Share from your primary browser to secondary browsers. Each browser session that accepts joins the same vault.

Reconnecting an MCP Client

If you logged into the MCP client independently (not via browser authorization):

The MCP session has its own vault
Share your browser vault with the MCP session
The MCP client gains access to your browser credentials

If you authorized the MCP client from your browser, vault linking happened automatically during authorization.

API Keys

API keys created from your browser session automatically share your vault. No manual linking needed.

To verify:

Go to Settings → Grants
Find your API key
Check that its Vault ID matches your browser session

If the vaults differ (the API key was created before vault linking existed), use the merge process above.

Vault Lifecycle

Vaults exist only while at least one session can access them. This is deliberate.

What Happens When Sessions Expire

If your session expires or you log out, and no other session shares the vault:

The vault becomes permanently inaccessible
Credentials in that vault cannot be recovered
You’ll need to re-authorize OAuth services or re-enter API keys

This is a security feature, not a limitation. It bounds the exposure window—credentials are only accessible while you have an active session.

Toolcog Is Not a Password Manager

Don’t treat Toolcog as the master store for your credentials. Your password manager is the source of truth for API keys. OAuth services can be re-authorized in seconds.

If you lose vault access:

Log in again (creates a new vault)
Re-authorize OAuth services (click through the flow)
Re-enter API keys from your password manager

This takes minutes. The security tradeoff is worth it.

Keep a Session Alive

If you want continuous vault access:

Link vaults across multiple devices before sessions expire
Create an API key (it shares your vault and has no expiration by default)
Don’t rely on a single browser session

Security Notes

Only You Can Initiate

You can only share your own vault. You cannot force another session to share its vault with you.

Target Must Accept

The target session must explicitly accept. The session holder clicks Accept in their browser or client.

Escrows Are Encrypted

The vault key is wrapped with an encryption key only the target session can derive. Even if someone intercepts the escrow record, they can’t unwrap the key.

Forward Secrecy

Each escrow uses a unique encryption derivation. Compromising one escrow doesn’t help with others.

Troubleshooting

”Escrow expired”

The 24-hour window passed. Initiate the share again from the source session.

”Failed to claim escrow”

The escrow may have been cancelled by the initiator, or there’s a session mismatch. Check that you’re claiming from the correct session.

Credentials missing after merge

Credentials should never be lost during merge. If something seems missing:

Check the Credentials page for the merged credentials
Verify you accepted the escrow (not declined)
The credential may need reconnection if the service revoked access

Next Steps

Manage Credentials — View and manage stored credentials
Zero-Knowledge Credential Protection — How vault encryption works
API Keys — Creating and using API keys

MCP Clients

Agent SDKs

Integrations

Technology

Learn

Company