Blog Releases Issues Docs Download Status Looking Glass Contact Sales
Network Resilience Recovery Security Pricing
Developers
Developer overviewCLI, SDKs, webhooks InfrastructureDocker, K8s, Terraform, CI/CD. AI AgentsClaude Code, Codex, Cursor, Hermes, OpenClaw. MSP ToolsDatto, NinjaOne, ConnectWise, N-able. Browser extensionAutofill, device-based login, generator Mobile appsNative iOS and Android Claude CodeScoped tokens CodexOpenAI integration CursorAgent mode Hermes AgentHermes Agent by Nous Research OpenClawAgent resolver ImportFrom any password manager
Resources
Blog Releases Issues Docs Download Status Looking Glass Contact Sales
Solutions
Consumer SMB Enterprise MSP
Language
🇺🇸 English 🇮🇩 Bahasa Indonesia 🇩🇰 Dansk 🇩🇪 Deutsch 🇪🇸 Español 🇫🇷 Français 🇮🇹 Italiano 🇳🇱 Nederlands 🇳🇴 Norsk 🇵🇱 Polski 🇧🇷 Português 🇫🇮 Suomi 🇸🇪 Svenska 🇻🇳 Tiếng Việt 🇹🇷 Türkçe 🇷🇺 Русский 🇺🇦 Українська 🇮🇳 हिन्दी 🇹🇭 ไทย 🇨🇳 中文 🇯🇵 日本語 🇰🇷 한국어
Sign in Sonsuza kadar ücretsiz Get started

What we can't do

Real encryption comes with real limits. We are listing them here, in plain language, because the worst time to learn what a service cannot do is when you need it to.

We cannot get you in without your recovery code

If you lose both your hardware key and your recovery code, your vault is permanently inaccessible. There is no "forgot everything" path. There is no override. We do not have a backup copy of your data we can hand you.

This is not a limitation we would like to fix — it is the core promise of the system. We cannot decrypt your vault even if we wanted to. The same property that protects you from a hostile insider at Clavitor also protects you from getting back in when both pieces are gone.

In practice: treat your recovery code like a passport. Lose the hardware key, fine — recover. Lose the recovery code while still holding the key, fine — generate a new one. Lose both, and you are out.

We cannot bypass the human verification

There is no override at our end. If the verification material you set points to specific physical items — say, the watch your grandfather gave you — and you have lost or sold the watch by the time you need to recover, the operator cannot wave you through. They literally have no permission to.

Choose your verification material with this in mind. It should be something you will reliably have access to, even under stress and even years later.

We cannot stop you from choosing weak verification material

Your verification material is your choice. If you pick a code phrase a stranger might guess on the first try, or "I have a Starbucks cup on my desk" as your physical item, we have no way to know during the call that the choice is weak. The operator will accept what you set. The strength of the protection is yours to determine.

A weak-looking passphrase like "secret123" is materially stronger here than the same phrase against a typical password system. The operator is a human listening on the call, not a brute-force loop — the attacker gets one human-judged attempt per call, not a million guesses per second. The defense is the absence of repeated guessing, not the entropy of your phrase. But "stronger than elsewhere" is still not "strong."

A weak physical claim — "I have a Starbucks cup on my desk" — is weak in a different way: a thousand other people could pass it. The brute-force argument does not save you here. Pick something distinctive enough that no random attacker would happen to have it.

We cannot recover for you if Clavitor disappears

Clavitor's central server holds the recovery anchors. If Clavitor as a company ceases to exist and the central server goes with it, the recovery flow stops working. Your hardware key still decrypts your vault — that does not depend on us — but you can no longer recover from a lost key.

The data itself is safer than the recovery flow. Your authentication records are replicated across 21 POPs on multiple continents. Vault data is geo-replicated. Even if Clavitor's headquarters went offline, your data stays reachable. But the recovery service runs from a single central location, and we will not pretend otherwise.

We have a graceful-shutdown plan that would let you export your recovery anchor before any orderly wind-down. We are not prepared for an asteroid.

We cannot unfetch what a thief already saw

If your hardware key was stolen and the thief used it before you revoked, whatever they decrypted is in their hands. Revocation closes future access; it does not reach into their memory.

The mitigation is rotating the underlying credentials — change the password, regenerate the API key, replace the SSH cert. Clavitor stores them; the secret itself is yours to renew.

We cannot reissue the same recovery code

Each recovery code is paired with a fresh random anchor on our side. If you misplace the printed code, we cannot reprint the same one — that would require us to have stored your half, which we do not. Generate a new one, save it carefully, and the old code stops working as soon as you confirm.

We cannot accept email or SMS for recovery

There is no email-based reset. There is no SMS-based reset. Both are well-documented attack channels, both depend on infrastructure neither you nor we fully control, and both have been responsible for some of the largest password manager breaches in history. The email-and-Zoom path is how you contact us, but the credential release itself only happens after a human verifies you on the call.