Skip to main content
Version: Next

Trusted Networks

Trusted Networks lets you configure location-aware auto-lock behavior for your vault. When your device is connected to a network you have marked as trusted (your home Wi-Fi, office LAN), the vault stays unlocked for a longer timeout. On unrecognized or public networks, a shorter timeout applies automatically, reducing the risk of unauthorized access.

How Detection Works

  1. The SyVault client (desktop app or browser extension) reads the current network identifier -- the SSID for Wi-Fi, the interface name for Ethernet, or the tunnel name for VPN connections.
  2. The client sends the identifier to the server via POST /api/security/networks/check.
  3. The server responds with whether the network is trusted and, if so, the configured timeout.
  4. The client applies the returned timeout. If the network is not trusted, the default (shorter) timeout from your security settings is used.

Detection runs each time the network changes and once when the vault is unlocked.

Network Types

TypeDescription
wifiMatched by SSID (e.g., MyHomeWiFi).
ethernetMatched by a user-defined label since wired connections lack an SSID.
vpnMatched by VPN tunnel or connection name (e.g., CorpVPN).

Setting Up Trusted Networks

From the Web Vault

  1. Navigate to Settings > Security > Trusted Networks.
  2. Click Add Network.
  3. Enter the network name (your Wi-Fi SSID, VPN name, or a label for your wired connection).
  4. Select the network type: Wi-Fi, Ethernet, or VPN.
  5. Optionally add a human-readable label (e.g., "Home Office").
  6. Set the extended timeout in minutes (e.g., 60 minutes).
  7. Click Save.

Via the API

Get Security Settings

GET /api/security/settings
curl https://vault.example.com/api/security/settings \
  -H "Authorization: Bearer $TOKEN"

Response (200):

{
  "default_timeout_minutes": 5,
  "trusted_network_timeout_minutes": 60,
  "auto_lock_on_sleep": true,
  "clipboard_clear_seconds": 30
}

Update Security Settings

PUT /api/security/settings
curl -X PUT https://vault.example.com/api/security/settings \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "default_timeout_minutes": 5,
    "trusted_network_timeout_minutes": 90
  }'

Returns 200 OK with the updated settings object.

List Trusted Networks

GET /api/security/networks
curl https://vault.example.com/api/security/networks \
  -H "Authorization: Bearer $TOKEN"

Response (200):

{
  "data": [
    {
      "id": "net-uuid-1",
      "network_name": "MyHomeWiFi",
      "network_type": "wifi",
      "label": "Home Office",
      "timeout_minutes": 60,
      "created_at": "2026-03-01T08:00:00Z"
    }
  ]
}

Add a Trusted Network

POST /api/security/networks
curl -X POST https://vault.example.com/api/security/networks \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "network_name": "CorpVPN",
    "network_type": "vpn",
    "label": "Company VPN",
    "timeout_minutes": 45
  }'

Response (201):

{
  "id": "net-uuid-2",
  "network_name": "CorpVPN",
  "network_type": "vpn",
  "label": "Company VPN",
  "timeout_minutes": 45,
  "created_at": "2026-04-06T12:00:00Z"
}

Update a Trusted Network

PUT /api/security/networks/{id}
curl -X PUT https://vault.example.com/api/security/networks/net-uuid-1 \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "label": "Home - Main Router",
    "timeout_minutes": 90
  }'

Returns 200 OK with the updated network object.

Remove a Trusted Network

DELETE /api/security/networks/{id}
curl -X DELETE https://vault.example.com/api/security/networks/net-uuid-1 \
  -H "Authorization: Bearer $TOKEN"

Returns 204 No Content.

Check Current Network

POST /api/security/networks/check
curl -X POST https://vault.example.com/api/security/networks/check \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "ssid": "MyHomeWiFi"
  }'

Response (200):

{
  "trusted": true,
  "network_id": "net-uuid-1",
  "timeout_minutes": 60
}

If the SSID is not recognized:

{
  "trusted": false,
  "timeout_minutes": 5
}

Security Considerations

  • SSIDs are not secret. An attacker can spoof a Wi-Fi SSID to match your trusted network name. Trusted Networks adjusts convenience (timeout length) only -- it does not bypass authentication. Your master password or biometric is still required to unlock the vault.
  • Network names are hashed on the server. The server stores a HMAC-SHA256 hash of the network name, not the plaintext SSID, so a database breach does not reveal your network names.
  • Use conservatively. Only mark networks you physically control as trusted. Avoid adding shared networks like Starbucks_WiFi or Airport_Free.
  • VPN networks are recommended for remote work. If your company uses a VPN, marking it as trusted provides the convenience benefit while ensuring the connection is already encrypted.
  • Maximum timeout cap. Regardless of the value you set, the server enforces a hard cap of 480 minutes (8 hours). Any value above this is silently clamped.