Back to all products

    Encrypted by default.

    Zero-trust document storage built on Authaz identity context. Tenant isolation, envelope encryption, and policy-gated access for every file.

    Free up to 2,000 MAU — Locker is an add-on product.

    Threat model — 3 risks, 3 controls

    Threat

    Cross-tenant document exposure

    Control

    Tenant-scoped key hierarchy with policy-bound access checks

    Threat

    Privileged misuse of download or delete

    Control

    Step-up MFA verification with short-lived elevated scope

    Threat

    Undetected data tampering or exfiltration

    Control

    Immutable version lineage with auditable decision trail

    Encryption pipeline

    Four stages. No shortcuts.

    Every document passes through the same pipeline: ingested with context, encrypted with tenant-scoped keys, authorized against policy, and committed to an immutable audit trail.

    01

    Ingest

    Document enters with tenant context, org scope, and policy metadata attached.

    02

    Encrypt

    Envelope encryption applies AES-256-GCM with tenant-scoped key hierarchy.

    03

    Authorize

    Z* evaluates action policy and enforces step-up for sensitive operations.

    04

    Audit

    Versioned metadata and immutable decision events are persisted to the trail.

    Security properties

    Built for the audit, not the demo.

    AES-256-GCM encryption

    Every document is envelope-encrypted at rest. Per-document keys are wrapped by a tenant-level key hierarchy that never leaves the boundary.

    Tenant-scoped key isolation

    Cryptographic boundaries follow your tenant model. One customer's key material can never decrypt another customer's documents.

    Step-up enforcement

    Download and delete operations require elevated scope via MFA challenge. Short-lived tokens expire after a single use.

    API surface

    Two operations. Full control.

    Vault put
    // Store a document in an encrypted vault
await authaz.locker.put({
  vaultId: "vault_legal_2024",
  title: "nda-counterparty-v5.pdf",
  file: encryptedPayload,
  context: {
    tenantId: "tenant_acme",
    orgId: "org_legal",
  },
});
    Document download
    // Download with step-up verification
const file = await authaz.locker.download({
  documentId: "doc_98712",
  version: 5,
  requireStepUp: true,
  // Caller must present locker:elevated scope
  // obtained via MFA challenge within the
  // last 5 minutes. Token is single-use.
});

    Your documents deserve zero trust.

    Locker ships with Authaz identity context, tenant isolation, and envelope encryption so your team can store sensitive files without bolting on a separate system.

    Free up to 2,000 MAU — Locker is billed as an add-on.