Terms of Use

By using Vultkey, you agree to these terms. Vultkey is a beta product for organizing and distributing digital keys, codes, licenses, API credentials, coupons, and game keys. Product behavior, security controls, claim logs, and the data model may change during beta.

The beta label does not mean the product is unusable. It means you should evaluate your own risk before relying on it for critical production secrets, regulated data, or high-value credentials.

You are responsible for protecting your account, password, OAuth identities, and signed-in devices. Changes made from your account, including vault edits and public-link settings, are treated as actions performed by your account.

You may not access another person’s account, bypass claim limits, abuse rate limits, or attempt to work around Vultkey security controls.

Only store records that you have the right to store, manage, or distribute. You are responsible for the legality, accuracy, and sharing rights of licenses, API keys, game keys, coupons, and similar content.

Vultkey encrypts raw key material, but it does not validate whether a third-party license is genuine, unused, transferable, or compliant with the issuing platform’s terms.

When you create a public link, you control who receives it, how many claims are allowed, whether raw reveal is enabled, whether the copy button is shown, what fields are visible, and when the link expires. If raw reveal is enabled, Vultkey cannot technically prevent the recipient from manually copying the code. Sharing the link with the wrong person or enabling raw reveal by mistake is your responsibility.

A public link manages the distribution workflow. Vultkey does not directly verify whether the recipient used the code on a third-party platform. If the recipient presses the used confirmation, that is recorded as a user statement.

A link owner may restrict a public link to specific Vultkey members. In that mode, the recipient must sign in with a Vultkey account that matches an email selected by the owner.

Claim limits may use email, member account, device cookies, browser fingerprints, request fingerprints, user-agent hashes, and IP hashes. These controls reduce abuse, but they are not a legal identity system and cannot guarantee perfect enforcement in every environment.

The link owner may see public claim logs. Those logs can include recipient-entered email, recipient note, Vultkey member email, country code, device type, operating system, browser, language, timezone, claim time, redemption time, and key snapshot information.

By claiming a code through a public link, the recipient accepts that these distribution records may be shown to the link owner for tracking, abuse prevention, and audit purposes.

You may not use Vultkey to distribute malware, store stolen credentials, share keys without permission, infringe third-party rights, run phishing campaigns, or abuse public links for spam or fraud.

You may not mislead recipients, attempt to access other users’ data, or intentionally bypass rate limits, claim limits, or member allowlists.

Vultkey can be self-hosted. If you run your own deployment, you are responsible for Supabase, Upstash, hosting, domains, backups, migrations, access policies, and production configuration.

You must protect secrets such as `VULTKEY_ENCRYPTION_KEY`, `VULTKEY_HMAC_KEY`, and `SUPABASE_SERVICE_ROLE_KEY`. Losing, rotating, or exposing these values incorrectly can cause data loss or security issues.

Account deletion is designed to remove application data and may not be reversible. Deleting a key removes the raw key material, but limited claim metadata or snapshots may remain for repeat-claim protection and audit integrity.

Vultkey is provided as a beta product with reasonable security practices, but it does not guarantee uninterrupted service, absolute security, third-party license validity, or perfect claim enforcement. These terms may be updated as the product changes.