Two-step access
Login verifies your identity. Vault unlock happens only in the browser.
SecureEnv first requests an access token from the backend using the login password. It then derives the master key locally and decrypts your private encryption key in memory only.
The access token may persist for the session, but the decrypted private key does not. Refreshing the page clears the unlocked crypto session and requires vault unlock again.