Skip to main content
Version: Next

Emergency Access

Emergency Access allows you to designate trusted contacts who can request access to your vault if you become incapacitated or otherwise unavailable. A configurable wait period ensures you retain control -- any request can be denied during that window.

How It Works

  1. You add a trusted contact. You specify the contact's email, a wait period (in days), and an access type.
  2. The contact requests access. If something happens to you, your trusted contact initiates an emergency access request from their own SyVault account.
  3. The wait period begins. You receive email and push notifications about the request. During this period you can deny it.
  4. Access is granted or denied. If you do not deny the request within the wait period, SyVault grants the contact read access to your vault. If you deny it, the request is cancelled and the contact is notified.
  5. You can revoke at any time. Trusted contacts can be removed, which immediately invalidates any pending or active access grants.

Access Types

ValueLabelDescription
0View OnlyThe grantee can browse and read records but cannot export or download attachments.
1View + ExportThe grantee can browse records and export them as an encrypted .vfbackup file.

Setting Up Emergency Access

From the Web Vault

  1. Navigate to Settings > Emergency Access.
  2. Click Add Trusted Contact.
  3. Enter the contact's email address (they must have a SyVault account).
  4. Choose a wait period: 1, 3, 7, 14, or 30 days.
  5. Select the access type: View Only or View + Export.
  6. Click Save. The contact receives an email invitation to accept the role.

Via the API

List Trusted Contacts

GET /api/emergency/trusted
curl https://vault.example.com/api/emergency/trusted \
  -H "Authorization: Bearer $TOKEN"

Response (200):

{
  "data": [
    {
      "id": "ea-uuid-1",
      "grantee_email": "bob@example.com",
      "wait_days": 3,
      "access_type": 0,
      "status": "accepted",
      "created_at": "2026-03-15T10:00:00Z"
    }
  ]
}

Add a Trusted Contact

POST /api/emergency/trusted
curl -X POST https://vault.example.com/api/emergency/trusted \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "bob@example.com",
    "wait_days": 3,
    "access_type": 0
  }'

Response (201):

{
  "id": "ea-uuid-1",
  "grantee_email": "bob@example.com",
  "wait_days": 3,
  "access_type": 0,
  "status": "pending_acceptance",
  "created_at": "2026-04-06T12:00:00Z"
}

Revoke a Trusted Contact

DELETE /api/emergency/trusted/{id}
curl -X DELETE https://vault.example.com/api/emergency/trusted/ea-uuid-1 \
  -H "Authorization: Bearer $TOKEN"

Returns 204 No Content. Any pending or active access for that contact is immediately revoked.

Request Access (as Grantee)

POST /api/emergency/request/{id}
curl -X POST https://vault.example.com/api/emergency/request/ea-uuid-1 \
  -H "Authorization: Bearer $GRANTEE_TOKEN"

Response (200):

{
  "id": "ea-uuid-1",
  "status": "waiting",
  "wait_period_ends_at": "2026-04-09T12:00:00Z"
}

Deny a Pending Request

POST /api/emergency/trusted/{id}/deny
curl -X POST https://vault.example.com/api/emergency/trusted/ea-uuid-1/deny \
  -H "Authorization: Bearer $TOKEN"

Returns 200 OK with the updated status set to denied.

List Pending Requests (as Grantee)

GET /api/emergency/pending
curl https://vault.example.com/api/emergency/pending \
  -H "Authorization: Bearer $GRANTEE_TOKEN"

Response (200):

{
  "data": [
    {
      "id": "ea-uuid-1",
      "grantor_email": "alice@example.com",
      "status": "waiting",
      "access_type": 0,
      "wait_period_ends_at": "2026-04-09T12:00:00Z"
    }
  ]
}

Security Considerations

  • Wait period is enforced server-side. The countdown is managed by the SyVault server and cannot be bypassed by the client.
  • Notifications are sent on every state change. Email and push notifications are dispatched when a request is created, approved, denied, or revoked.
  • Zero-knowledge is preserved. When access is granted, the server re-encrypts the vault's folder keys with the grantee's public key. The server never sees plaintext data.
  • Audit trail. Every emergency access action is recorded in the organization audit log (Enterprise plan) and in both users' personal activity logs.
  • Revocation is instant. Removing a trusted contact or denying a pending request takes effect immediately. The grantee's re-encrypted keys are purged from the server.
  • Recommended wait period. A 3-day wait balances accessibility with security. Shorter periods reduce the window for you to intervene; longer periods delay legitimate emergency use.