Authentication
A password manager has to treat sign-in as part of the vault boundary. PassHero uses OPAQUE so the client and server complete a password-authenticated exchange without the raw master password being sent to the API.
After successful authentication, the client can unlock the encrypted private key material needed to work with vault secrets. The server coordinates the account, but the sensitive unlock step happens on the user device.
Vault encryption
Secret values are encrypted before they are stored. The service can keep encrypted payloads, account records, sharing records, and useful metadata without needing plain-text passwords, notes, or payment card details.
That separation matters. Labels and organisation can remain useful while the protected value stays encrypted until an authorised user reveals it locally.
Sharing and sensitive access
When a secret is shared, PassHero is designed to encrypt access for the recipient rather than moving the password through chat, email, or screenshots. Owners can choose access levels and remove shared access later.
For secrets that deserve more care, high-security confirmation and time-delayed access add friction at the reveal or sharing moment. The architecture is not just about storage; it is about reducing exposure across the whole workflow.
How this shows up in PassHero
Registration uses an OPAQUE register start and finish flow.
Login uses an OPAQUE login start and finish flow.
Secret values are encrypted before they are sent to the API.
Shared secrets are encrypted for authorised recipients.
FAQ
Does this mean PassHero has no server-side role?
No. PassHero still handles accounts, subscriptions, encrypted storage, sync, and sharing records. The point is to keep the most sensitive values and master-password handling out of server-side plain text.
Is OPAQUE the whole security model?
No. OPAQUE strengthens authentication, while client-side encryption, encrypted sharing, high-security checks, and time-delayed access protect the wider vault workflow.