Approving releases

Approval is the event, not the exception. Nothing is released until a named human approves it. When a consumer requests a secret, the approvers for that path decide whether it leaves.

What triggers an approval

A consumer asks for a secret by path. The consumer can be a server, a CI job, or an agent. Stillvault notifies the approvers assigned to that path. The request waits — no plaintext moves while it waits.

What an approver sees

An approver reviews two things: which path was requested, and which process asked for it — the requesting executable and the user it ran as. With that in hand, the approver chooses one of two actions:

• Countersign — release the secret to the requester.
• Deny — stop the release.

Approvers work from the web console or their phone. A denial ends the request.

What happens on approval

On Countersign, the plaintext is delivered only to the requester. Stillvault never sees it. This human countersign is the core guarantee: no secret leaves without a named human approving it.

Approvers don’t camp on a page. Each request raises a notification and an in-app badge, so you act when there’s something to act on. See Audit and alerts for how those signals are delivered and recorded.