Blog Releases Issues Docs Download Status Looking Glass Contact Sales
Network Resilience Recovery Security Pricing
Developers
Developer overviewCLI, SDKs, webhooks InfrastructureDocker, K8s, Terraform, CI/CD. AI AgentsClaude Code, Codex, Cursor, Hermes, OpenClaw. MSP ToolsDatto, NinjaOne, ConnectWise, N-able. Browser extensionAutofill, device-based login, generator Mobile appsNative iOS and Android Claude CodeScoped tokens CodexOpenAI integration CursorAgent mode Hermes AgentHermes Agent by Nous Research OpenClawAgent resolver ImportFrom any password manager
Resources
Blog Releases Issues Docs Download Status Looking Glass Contact Sales
Solutions
Consumer SMB Enterprise MSP
Language
🇺🇸 English 🇮🇩 Bahasa Indonesia 🇩🇰 Dansk 🇩🇪 Deutsch 🇪🇸 Español 🇫🇷 Français 🇮🇹 Italiano 🇳🇱 Nederlands 🇳🇴 Norsk 🇵🇱 Polski 🇧🇷 Português 🇫🇮 Suomi 🇸🇪 Svenska 🇻🇳 Tiếng Việt 🇹🇷 Türkçe 🇷🇺 Русский 🇺🇦 Українська 🇮🇳 हिन्दी 🇹🇭 ไทย 🇨🇳 中文 🇯🇵 日本語 🇰🇷 한국어
Sign in Ilmainen ikuisesti Get started

If your key is stolen

Your hardware key has been stolen — or you have strong reason to believe it is compromised. The recovery flow is the same as for a lost key, with one critical addition: at the end, you revoke the stolen key so the thief cannot use it.

Move fast

A stolen hardware key is more urgent than a lost one. The thief, in principle, can authenticate to your vault until you revoke them. How long that window stays open depends on how quickly you can run the recovery flow.

If you suspect theft, run the recovery flow as soon as you reasonably can. You do not have to be at a specific device — any browser on any computer works.

What is the same

Everything in the lost-key flow:

  • Bring your recovery code, your account email, and your verification material.
  • Email support@clavitor.ai and join the Zoom call we send back.
  • Pass human verification on the call, get a verbal session code.
  • Enter session code and recovery code at clavitor.ai/recover.
  • Register your new hardware key.

What is different

Before you finish, the recovery page asks: was this key stolen, or just lost?

If you mark it stolen, Clavitor adds a revocation marker on the old key. From that point on, any attempt to use the old key — even with a valid biometric tap — gets rejected by the vault with a 410 Gone error. The thief's key becomes inert.

The revocation is atomic with the new-key registration. You never end up in a state where your old key is revoked but you have no working replacement. Either both happen, or neither does.

What revocation does not do

Revocation prevents future use of the stolen key. It does not undo past use.

If the thief had time to log into your vault before you ran recovery, they may have read whatever credentials your hardware key could decrypt. The encrypted data they pulled stays decrypted on their machine until they delete it — Clavitor cannot reach over and erase it.

If you suspect the thief saw your data, rotate the underlying credentials. Change passwords on the accounts that matter, regenerate API keys, replace SSH certs. Clavitor will continue to hold the new credentials safely; the issue is what the thief already learned.

A practical sequence

If you have just discovered theft, in roughly this order:

1. Buy a replacement hardware key, or pick up an existing spare. 2. Run the recovery flow. Mark the old key as stolen. 3. Register your new key. 4. Generate a fresh recovery code. 5. Rotate any high-value credentials the stolen key could decrypt — bank accounts, email, work credentials, anything with money or access to other systems.

Steps 1–3 close the door. Steps 4–5 deal with whatever passed through it.