diff --git a/.vscode/settings.json b/.vscode/settings.json
index 775973a21e..eda6e4f469 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -13,6 +13,7 @@
     "Cdfc",
     "checksummable",
     "chinthakagodawita",
+    "Ciphertext",
     "cjsx",
     "clsx",
     "cmdk",
@@ -37,6 +38,7 @@
     "fkey",
     "frontends",
     "geoip",
+    "healthcheck",
     "hookform",
     "hostable",
     "INBUCKET",
@@ -44,6 +46,7 @@
     "Jwks",
     "JWTs",
     "katex",
+    "localstack",
     "lucide",
     "Luma",
     "midfix",
@@ -94,6 +97,7 @@
     "typecheck",
     "typehack",
     "Uncapitalize",
+    "unhashed",
     "unindexed",
     "Unmigrated",
     "unsubscribers",
diff --git a/apps/backend/.env b/apps/backend/.env
index c62e3063b5..6be4449b21 100644
--- a/apps/backend/.env
+++ b/apps/backend/.env
@@ -58,6 +58,13 @@ STACK_S3_ACCESS_KEY_ID=
 STACK_S3_SECRET_ACCESS_KEY=
 STACK_S3_BUCKET=
 
+# AWS configuration
+STACK_AWS_REGION=
+STACK_AWS_KMS_ENDPOINT=
+STACK_AWS_ACCESS_KEY_ID=
+STACK_AWS_SECRET_ACCESS_KEY=
+
+
 
 # Misc, optional
 STACK_ACCESS_TOKEN_EXPIRATION_TIME=# enter the expiration time for the access token here. Optional, don't specify it for default value
diff --git a/apps/backend/.env.development b/apps/backend/.env.development
index 39c2a8ea2a..bebe26f78f 100644
--- a/apps/backend/.env.development
+++ b/apps/backend/.env.development
@@ -56,3 +56,9 @@ STACK_S3_REGION=us-east-1
 STACK_S3_ACCESS_KEY_ID=s3mockroot
 STACK_S3_SECRET_ACCESS_KEY=s3mockroot
 STACK_S3_BUCKET=stack-storage
+
+# AWS region defaults to LocalStack
+STACK_AWS_REGION=us-east-1
+STACK_AWS_KMS_ENDPOINT=http://localhost:8124
+STACK_AWS_ACCESS_KEY_ID=test
+STACK_AWS_SECRET_ACCESS_KEY=test
diff --git a/apps/backend/prisma/migrations/20250830000849_data_vault/migration.sql b/apps/backend/prisma/migrations/20250830000849_data_vault/migration.sql
new file mode 100644
index 0000000000..9534a71e01
--- /dev/null
+++ b/apps/backend/prisma/migrations/20250830000849_data_vault/migration.sql
@@ -0,0 +1,18 @@
+-- CreateTable
+CREATE TABLE "DataVaultEntry" (
+    "id" UUID NOT NULL,
+    "tenancyId" UUID NOT NULL,
+    "storeId" TEXT NOT NULL,
+    "hashedKey" TEXT NOT NULL,
+    "encrypted" JSONB NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "DataVaultEntry_pkey" PRIMARY KEY ("tenancyId","id")
+);
+
+-- CreateIndex
+CREATE INDEX "DataVaultEntry_tenancyId_storeId_idx" ON "DataVaultEntry"("tenancyId", "storeId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "DataVaultEntry_tenancyId_storeId_hashedKey_key" ON "DataVaultEntry"("tenancyId", "storeId", "hashedKey");
diff --git a/apps/backend/prisma/schema.prisma b/apps/backend/prisma/schema.prisma
index dc699b846a..b07257fcad 100644
--- a/apps/backend/prisma/schema.prisma
+++ b/apps/backend/prisma/schema.prisma
@@ -771,3 +771,17 @@ model ItemQuantityChange {
   @@id([tenancyId, id])
   @@index([tenancyId, customerId, expiresAt])
 }
+
+model DataVaultEntry {
+  id         String   @default(uuid()) @db.Uuid
+  tenancyId  String   @db.Uuid
+  storeId    String
+  hashedKey  String
+  encrypted  Json     // Contains { edkBase64, ciphertextBase64 } from encryptWithKms()
+  createdAt  DateTime @default(now())
+  updatedAt  DateTime @updatedAt
+
+  @@id([tenancyId, id])
+  @@unique([tenancyId, storeId, hashedKey])
+  @@index([tenancyId, storeId])
+}
diff --git a/apps/backend/src/app/api/latest/data-vault/stores/[id]/get/route.tsx b/apps/backend/src/app/api/latest/data-vault/stores/[id]/get/route.tsx
new file mode 100644
index 0000000000..ac3b0ec8cd
--- /dev/null
+++ b/apps/backend/src/app/api/latest/data-vault/stores/[id]/get/route.tsx
@@ -0,0 +1,77 @@
+import { getPrismaClientForTenancy } from "@/prisma-client";
+import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
+import { KnownErrors } from "@stackframe/stack-shared";
+import { decryptWithKms } from "@stackframe/stack-shared/dist/helpers/vault/server-side";
+import { adaptSchema, serverOrHigherAuthTypeSchema, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
+import { StackAssertionError } from "@stackframe/stack-shared/dist/utils/errors";
+
+export const POST = createSmartRouteHandler({
+  metadata: {
+    summary: "Retrieve encrypted value from data vault",
+    description: "Retrieves and decrypts a value from the data vault using a hashed key",
+    tags: ["DataVault"],
+  },
+  request: yupObject({
+    auth: yupObject({
+      type: serverOrHigherAuthTypeSchema,
+      tenancy: adaptSchema,
+    }).defined(),
+    params: yupObject({
+      id: yupString().defined(),
+    }).defined(),
+    body: yupObject({
+      hashed_key: yupString().defined().nonEmpty(),
+    }).defined(),
+  }),
+  response: yupObject({
+    statusCode: yupNumber().oneOf([200]).defined(),
+    bodyType: yupString().oneOf(["json"]).defined(),
+    body: yupObject({
+      encrypted_value: yupString().defined(),
+    }).defined(),
+  }),
+  async handler({ auth: { tenancy }, params: { id: storeId }, body: { hashed_key: hashedKey } }) {
+    // Check if data vault is configured for this store
+    if (!(storeId in tenancy.config.dataVault.stores)) {
+      throw new KnownErrors.DataVaultStoreDoesNotExist(storeId);
+    }
+
+    const prisma = await getPrismaClientForTenancy(tenancy);
+
+    // Retrieve the entry
+    const entry = await prisma.dataVaultEntry.findUnique({
+      where: {
+        tenancyId_storeId_hashedKey: {
+          tenancyId: tenancy.id,
+          storeId,
+          hashedKey,
+        },
+      },
+    });
+
+    if (!entry) {
+      throw new KnownErrors.DataVaultStoreHashedKeyDoesNotExist(storeId, hashedKey);
+    }
+
+    const encryptedData = entry.encrypted as { edkBase64?: string, ciphertextBase64?: string };
+    if (!encryptedData.edkBase64 || !encryptedData.ciphertextBase64) {
+      throw new StackAssertionError("Corrupted encrypted data", encryptedData);
+    }
+
+    const decryptedValue = await decryptWithKms({
+      edkBase64: encryptedData.edkBase64,
+      ciphertextBase64: encryptedData.ciphertextBase64,
+    });
+
+    return {
+      statusCode: 200,
+      bodyType: "json",
+      body: {
+        // This looks confusing, but it's actually correct. `encrypted_value` refers to the fact that it is encrypted
+        // with client-side encryption, while `decryptedValue` refers to the fact that it has been decrypted with
+        // server-side encryption.
+        encrypted_value: decryptedValue,
+      },
+    };
+  },
+});
diff --git a/apps/backend/src/app/api/latest/data-vault/stores/[id]/set/route.tsx b/apps/backend/src/app/api/latest/data-vault/stores/[id]/set/route.tsx
new file mode 100644
index 0000000000..61ad25db87
--- /dev/null
+++ b/apps/backend/src/app/api/latest/data-vault/stores/[id]/set/route.tsx
@@ -0,0 +1,68 @@
+import { getPrismaClientForTenancy } from "@/prisma-client";
+import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
+import { KnownErrors } from "@stackframe/stack-shared";
+import { encryptWithKms } from "@stackframe/stack-shared/dist/helpers/vault/server-side";
+import { adaptSchema, serverOrHigherAuthTypeSchema, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
+
+export const POST = createSmartRouteHandler({
+  metadata: {
+    summary: "Store encrypted value in data vault",
+    description: "Stores a hashed key and encrypted value in the data vault for a specific store",
+    tags: ["DataVault"],
+  },
+  request: yupObject({
+    auth: yupObject({
+      type: serverOrHigherAuthTypeSchema,
+      tenancy: adaptSchema,
+    }).defined(),
+    params: yupObject({
+      id: yupString().defined(),
+    }).defined(),
+    body: yupObject({
+      hashed_key: yupString().defined().nonEmpty(),
+      encrypted_value: yupString().defined(),
+    }).defined(),
+  }),
+  response: yupObject({
+    statusCode: yupNumber().oneOf([200]).defined(),
+    bodyType: yupString().oneOf(["success"]).defined(),
+  }),
+  async handler({ auth: { tenancy }, params: { id: storeId }, body: { hashed_key: hashedKey, encrypted_value: encryptedValue } }) {
+    // Check if data vault is configured for this store
+    if (!(storeId in tenancy.config.dataVault.stores)) {
+      throw new KnownErrors.DataVaultStoreDoesNotExist(storeId);
+    }
+
+    const prisma = await getPrismaClientForTenancy(tenancy);
+
+    // Encrypt the value with KMS
+    // note that encryptedValue is encrypted by client-side encryption, while encrypted is encrypted by both client-side
+    // and server-side encryption.
+    const encrypted = await encryptWithKms(encryptedValue);
+
+    // Store or update the entry
+    await prisma.dataVaultEntry.upsert({
+      where: {
+        tenancyId_storeId_hashedKey: {
+          tenancyId: tenancy.id,
+          storeId,
+          hashedKey,
+        },
+      },
+      update: {
+        encrypted,
+      },
+      create: {
+        tenancyId: tenancy.id,
+        storeId,
+        hashedKey,
+        encrypted,
+      },
+    });
+
+    return {
+      statusCode: 200,
+      bodyType: "success",
+    };
+  },
+});
diff --git a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/stores/[storeId]/page-client.tsx b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/stores/[storeId]/page-client.tsx
new file mode 100644
index 0000000000..c98c06fb76
--- /dev/null
+++ b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/stores/[storeId]/page-client.tsx
@@ -0,0 +1,245 @@
+"use client";
+
+import { CodeBlock } from "@/components/code-block";
+import { deindent } from "@stackframe/stack-shared/dist/utils/strings";
+import { Button, Dialog, DialogContent, DialogDescription, DialogHeader, DialogTitle, Input, Label, toast } from "@stackframe/stack-ui";
+import { ArrowLeft, Check, Copy, Edit2, Trash2, X } from "lucide-react";
+import { useState } from "react";
+import { useRouter } from "../../../../../../../../components/router";
+import { PageLayout } from "../../../page-layout";
+import { useAdminApp } from "../../../use-admin-app";
+
+type PageClientProps = {
+  storeId: string,
+}
+
+export default function PageClient({ storeId }: PageClientProps) {
+  const stackAdminApp = useAdminApp();
+  const project = stackAdminApp.useProject();
+  const router = useRouter();
+  const [isDeleteDialogOpen, setIsDeleteDialogOpen] = useState(false);
+  const [isDeleting, setIsDeleting] = useState(false);
+  const [isEditingName, setIsEditingName] = useState(false);
+  const [editedDisplayName, setEditedDisplayName] = useState("");
+  const [deleteConfirmation, setDeleteConfirmation] = useState("");
+
+  const config = project.useConfig();
+  const store = config.dataVault.stores[storeId];
+
+  if (!(storeId in config.dataVault.stores)) {
+    return (
+      <PageLayout title="Store Not Found">
+        <div className="flex flex-col items-center justify-center py-12">
+          <p className="text-muted-foreground mb-4">This data vault store does not exist.</p>
+          <Button onClick={() => router.push(`/projects/${project.id}/data-vault/stores`)}>
+            <ArrowLeft className="h-4 w-4 mr-2" />
+            Back to Stores
+          </Button>
+        </div>
+      </PageLayout>
+    );
+  }
+
+  const handleDeleteStore = async () => {
+    if (deleteConfirmation !== storeId) {
+      alert("Please type the store ID to confirm deletion");
+      return;
+    }
+
+    setIsDeleting(true);
+    try {
+      const { [storeId]: _, ...remainingStores } = config.dataVault.stores;
+
+      await project.updateConfig({
+        [`dataVault.stores.${storeId}`]: null,
+      });
+
+      toast({ title: "Data vault store deleted successfully" });
+      router.push(`/projects/${project.id}/data-vault/stores`);
+    } finally {
+      setIsDeleting(false);
+    }
+  };
+
+  const handleUpdateDisplayName = async () => {
+    await project.updateConfig({
+      [`dataVault.stores.${storeId}`]: {
+        ...store,
+        displayName: editedDisplayName.trim() || store.displayName,
+      },
+    });
+
+    toast({ title: "Display name updated successfully" });
+    setIsEditingName(false);
+  };
+
+  const startEditingName = () => {
+    setEditedDisplayName(store.displayName || "");
+    setIsEditingName(true);
+  };
+
+  const copyToClipboard = async (text: string) => {
+    await navigator.clipboard.writeText(text);
+    toast({ title: "Copied to clipboard" });
+  };
+
+
+  const serverExample = deindent`
+    // In your .env file or environment variables:
+    // STACK_DATA_VAULT_SECRET=insert-a-randomly-generated-secret-here
+
+    const store = await stackServerApp.getDataVaultStore(${JSON.stringify(storeId)});
+
+    // Each store is a key-value store. You can use any string as a key, for example user IDs
+    const key = user.id;
+
+    // Get a value for a specific key
+    const value = await store.getValue(key, {
+      secret: process.env.STACK_DATA_VAULT_SECRET,
+    });
+
+    // Set a value for a specific key
+    await store.setValue(key, "my-value", {
+      secret: process.env.STACK_DATA_VAULT_SECRET,
+    });
+  `;
+
+
+  return (
+    <PageLayout
+      title={`Data Vault Store`}
+    >
+      <div className="space-y-6">
+        <div className="flex flex-row gap-4 justify-between items-center">
+          <div>
+            <Label>Store ID</Label>
+            <div className="flex items-center gap-2 mt-1">
+              <code className="text-sm bg-muted px-2 py-1 rounded">{storeId}</code>
+              <Button
+                variant="ghost"
+                size="sm"
+                onClick={() => copyToClipboard(storeId)}
+              >
+                <Copy className="h-4 w-4" />
+              </Button>
+            </div>
+          </div>
+
+          <div>
+            <Label>Display Name</Label>
+            {isEditingName ? (
+              <div className="flex items-center gap-2 mt-1">
+                <Input
+                  value={editedDisplayName}
+                  onChange={(e) => setEditedDisplayName(e.target.value)}
+                  placeholder="Enter display name"
+                  className="max-w-sm"
+                />
+                <Button
+                  variant="ghost"
+                  size="sm"
+                  onClick={handleUpdateDisplayName}
+                >
+                  <Check className="h-4 w-4" />
+                </Button>
+                <Button
+                  variant="ghost"
+                  size="sm"
+                  onClick={() => setIsEditingName(false)}
+                >
+                  <X className="h-4 w-4" />
+                </Button>
+              </div>
+            ) : (
+              <div className="flex items-center gap-2 mt-1">
+                <p className="text-sm text-muted-foreground">
+                  {store.displayName || "No display name set"}
+                </p>
+                <Button
+                  variant="ghost"
+                  size="sm"
+                  onClick={startEditingName}
+                >
+                  <Edit2 className="h-4 w-4" />
+                </Button>
+              </div>
+            )}
+          </div>
+          <Button
+            variant="destructive"
+            size="sm"
+            onClick={() => setIsDeleteDialogOpen(true)}
+          >
+            <Trash2 className="h-4 w-4 mr-2" />
+            Delete Store
+          </Button>
+        </div>
+
+        <div className="flex flex-col gap-2 text-muted-foreground text-sm">
+          <p>
+            Your data vault store has been created.
+          </p>
+          <p>
+            A store securely saves key-value pairs with Stack Auth. Plaintext keys and values are never written to a database; instead, they&apos;re encrypted and decrypted on-the-fly using envelope encryption with a rotating master key.
+          </p>
+          <p>
+            To use the store, you&apos;ll need a random, unguessable secret. It can be any format, but for strong security it should be at least 32 characters long and provide 256 bits of entropy. <b>Even Stack Auth</b> can&apos;t access your data if you lose it, so keep it safe.
+          </p>
+          <p>
+            Stack Auth only stores hashes of your keys, so you can&apos;t list all keys in a store. Each value is encrypted with its key, the provided secret, and an additional encryption secret that is kept safe by Stack Auth.
+          </p>
+        </div>
+
+        <CodeBlock
+          language="typescript"
+          content={serverExample}
+          title="Example Implementation"
+          icon="code"
+        />
+
+        <Dialog open={isDeleteDialogOpen} onOpenChange={setIsDeleteDialogOpen}>
+          <DialogContent>
+            <DialogHeader>
+              <DialogTitle>Delete Data Vault Store</DialogTitle>
+              <DialogDescription>
+                This action cannot be undone. All encrypted data in this store will be permanently deleted.
+              </DialogDescription>
+            </DialogHeader>
+            <div className="space-y-4 pt-4">
+              <div className="space-y-2">
+                <Label htmlFor="confirmation">
+                  Type <strong>{storeId}</strong> to confirm deletion
+                </Label>
+                <Input
+                  id="confirmation"
+                  value={deleteConfirmation}
+                  onChange={(e) => setDeleteConfirmation(e.target.value)}
+                  placeholder={storeId}
+                />
+              </div>
+              <div className="flex justify-end gap-2">
+                <Button
+                  variant="outline"
+                  onClick={() => {
+                    setIsDeleteDialogOpen(false);
+                    setDeleteConfirmation("");
+                  }}
+                  disabled={isDeleting}
+                >
+                  Cancel
+                </Button>
+                <Button
+                  variant="destructive"
+                  onClick={handleDeleteStore}
+                  disabled={isDeleting || deleteConfirmation !== storeId}
+                >
+                  {isDeleting ? "Deleting..." : "Delete Store"}
+                </Button>
+              </div>
+            </div>
+          </DialogContent>
+        </Dialog>
+      </div>
+    </PageLayout>
+  );
+}
diff --git a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/stores/[storeId]/page.tsx b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/stores/[storeId]/page.tsx
new file mode 100644
index 0000000000..91e62259f9
--- /dev/null
+++ b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/stores/[storeId]/page.tsx
@@ -0,0 +1,18 @@
+import { Metadata } from "next";
+import PageClient from "./page-client";
+
+export const metadata: Metadata = {
+  title: "Data Vault Store",
+};
+
+type Params = {
+  projectId: string,
+  storeId: string,
+};
+
+export default async function Page({ params }: { params: Promise<Params> }) {
+  const { storeId } = await params;
+  return (
+    <PageClient storeId={storeId} />
+  );
+}
diff --git a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/stores/page-client.tsx b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/stores/page-client.tsx
new file mode 100644
index 0000000000..0b2898f4d8
--- /dev/null
+++ b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/stores/page-client.tsx
@@ -0,0 +1,167 @@
+"use client";
+
+import { typedEntries } from "@stackframe/stack-shared/dist/utils/objects";
+import { Button, Card, CardContent, CardHeader, Dialog, DialogContent, DialogDescription, DialogHeader, DialogTitle, Input, Label, toast } from "@stackframe/stack-ui";
+import { Database, Plus } from "lucide-react";
+import { useState } from "react";
+import { useRouter } from "../../../../../../../components/router";
+import { PageLayout } from "../../page-layout";
+import { useAdminApp } from "../../use-admin-app";
+
+export default function PageClient() {
+  const stackAdminApp = useAdminApp();
+  const project = stackAdminApp.useProject();
+  const router = useRouter();
+  const [isCreateDialogOpen, setIsCreateDialogOpen] = useState(false);
+  const [newStoreId, setNewStoreId] = useState("");
+  const [newStoreDisplayName, setNewStoreDisplayName] = useState("");
+  const [isCreating, setIsCreating] = useState(false);
+
+  const config = project.useConfig();
+  const stores = config.dataVault.stores;
+  const storeEntries = typedEntries(stores);
+
+  const handleCreateStore = async () => {
+    if (!newStoreId.trim()) {
+      alert("Store ID is required");
+      return;
+    }
+
+    if (!newStoreId.match(/^[a-z0-9-]+$/)) {
+      alert("Store ID can only contain lowercase letters, numbers, and hyphens");
+      return;
+    }
+
+    if (newStoreId in stores) {
+      alert("A store with this ID already exists");
+      return;
+    }
+
+    setIsCreating(true);
+    try {
+      await project.updateConfig({
+        [`dataVault.stores.${newStoreId}`]: {
+          displayName: newStoreDisplayName.trim() || `Store ${newStoreId}`,
+        },
+      });
+
+      toast({ title: "Data vault store created successfully" });
+      setIsCreateDialogOpen(false);
+      setNewStoreId("");
+      setNewStoreDisplayName("");
+    } finally {
+      setIsCreating(false);
+    }
+  };
+
+  const handleStoreClick = (storeId: string) => {
+    router.push(`/projects/${project.id}/data-vault/stores/${storeId}`);
+  };
+
+  return (
+    <PageLayout
+      title="Data Vault Stores"
+      actions={
+        <Button onClick={() => setIsCreateDialogOpen(true)}>
+          <Plus className="h-4 w-4 mr-2" />
+          Create Store
+        </Button>
+      }
+    >
+      <div className="space-y-6">
+        <div className="flex justify-between items-center">
+          <div>
+            <p className="text-muted-foreground">
+              Securely store and manage encrypted data in isolated stores
+            </p>
+          </div>
+        </div>
+
+        {storeEntries.length === 0 ? (
+          <div className="flex flex-col items-center justify-center py-12">
+            <Database className="h-12 w-12 text-muted-foreground mb-4" />
+            <h3 className="text-lg font-semibold mb-2">No data vault stores yet</h3>
+            <p className="text-muted-foreground text-center mb-4">
+              Create your first data vault store to start securely storing encrypted data
+            </p>
+            <Button onClick={() => setIsCreateDialogOpen(true)}>
+              <Plus className="h-4 w-4 mr-2" />
+              Create Your First Store
+            </Button>
+          </div>
+        ) : (
+          <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 gap-4">
+            {storeEntries.map(([storeId, store]) => (
+              <Card
+                key={storeId}
+                className="cursor-pointer hover:shadow-md transition-shadow"
+                onClick={() => handleStoreClick(storeId)}
+              >
+                <CardHeader className="pb-3">
+                  <div className="flex items-start justify-between">
+                    <Database className="h-5 w-5 text-muted-foreground" />
+                  </div>
+                </CardHeader>
+                <CardContent>
+                  <div className="space-y-1">
+                    <h3 className="font-semibold text-sm truncate">{storeId}</h3>
+                    <p className="text-xs text-muted-foreground truncate">
+                      {store.displayName || "No display name"}
+                    </p>
+                  </div>
+                </CardContent>
+              </Card>
+            ))}
+          </div>
+        )}
+
+        <Dialog open={isCreateDialogOpen} onOpenChange={setIsCreateDialogOpen}>
+          <DialogContent>
+            <DialogHeader>
+              <DialogTitle>Create Data Vault Store</DialogTitle>
+              <DialogDescription>
+                Create a new isolated store for encrypted data
+              </DialogDescription>
+            </DialogHeader>
+            <div className="space-y-4 pt-4">
+              <div className="space-y-2">
+                <Label htmlFor="storeId">Store ID</Label>
+                <Input
+                  id="storeId"
+                  placeholder="e.g., user-secrets, api-keys"
+                  value={newStoreId}
+                  onChange={(e) => setNewStoreId(e.target.value)}
+                  pattern="[a-z0-9-]+"
+                />
+                <p className="text-xs text-muted-foreground">
+                  Lowercase letters, numbers, and hyphens only
+                </p>
+              </div>
+              <div className="space-y-2">
+                <Label htmlFor="displayName">Display Name (optional)</Label>
+                <Input
+                  id="displayName"
+                  placeholder="e.g., User Secrets"
+                  value={newStoreDisplayName}
+                  onChange={(e) => setNewStoreDisplayName(e.target.value)}
+                />
+              </div>
+              <div className="flex justify-end gap-2">
+                <Button
+                  variant="outline"
+                  onClick={() => setIsCreateDialogOpen(false)}
+                  disabled={isCreating}
+                >
+                  Cancel
+                </Button>
+                <Button onClick={handleCreateStore} disabled={isCreating}>
+                  {isCreating ? "Creating..." : "Create Store"}
+                </Button>
+              </div>
+            </div>
+          </DialogContent>
+        </Dialog>
+      </div>
+    </PageLayout>
+  );
+}
diff --git a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/stores/page.tsx b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/stores/page.tsx
new file mode 100644
index 0000000000..c075354d0c
--- /dev/null
+++ b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/stores/page.tsx
@@ -0,0 +1,16 @@
+import { Metadata } from "next";
+import PageClient from "./page-client";
+
+export const metadata: Metadata = {
+  title: "Data Vault Stores",
+};
+
+type Params = {
+  projectId: string,
+};
+
+export default async function Page({ params }: { params: Promise<Params> }) {
+  return (
+    <PageClient />
+  );
+}
diff --git a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/sidebar-layout.tsx b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/sidebar-layout.tsx
index 12964ee8d4..10833ffc55 100644
--- a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/sidebar-layout.tsx
+++ b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/sidebar-layout.tsx
@@ -40,7 +40,7 @@ import {
   SquarePen,
   User,
   Users,
-  Webhook,
+  Webhook
 } from "lucide-react";
 import { useTheme } from "next-themes";
 import { usePathname } from "next/navigation";
diff --git a/apps/dev-launchpad/public/index.html b/apps/dev-launchpad/public/index.html
index 62a58fb176..e7fe3ef537 100644
--- a/apps/dev-launchpad/public/index.html
+++ b/apps/dev-launchpad/public/index.html
@@ -110,11 +110,17 @@ <h2 style="margin-top: 64px;">Background services</h2>
       <li>
         4318: OTel collector
       </li>
+      <li>
+        8121: S3 mock
+      </li>
       <li>
         8122: Freestyle mock
       </li>
       <li>
-        8121: S3 mock
+        8124: LocalStack Gateway (AWS mock)
+      </li>
+      <li>
+        8150-8199: Reserved for LocalStack (external services)
       </li>
     </ul>
     <noscript>
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/data-vault.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/data-vault.test.ts
new file mode 100644
index 0000000000..efc37cf929
--- /dev/null
+++ b/apps/e2e/tests/backend/endpoints/api/v1/data-vault.test.ts
@@ -0,0 +1,435 @@
+import { it } from "../../../../helpers";
+import { Auth, Project, niceBackendFetch } from "../../../backend-helpers";
+
+async function createDataVaultEnabledProject() {
+  await Project.createAndSwitch({
+    config: {
+      magic_link_enabled: true,
+    }
+  });
+  // Configure data vault stores after project creation
+  await Project.updateConfig({
+    dataVault: {
+      stores: {
+        "test-store-1": { displayName: "Test Store 1" },
+        "test-store-update": { displayName: "Test Store Update" },
+        "test-store-404": { displayName: "Test Store 404" },
+        "store-1": { displayName: "Store 1" },
+        "store-2": { displayName: "Store 2" },
+        "multi-key-store": { displayName: "Multi Key Store" },
+        "auth-test-store": { displayName: "Auth Test Store" },
+      }
+    }
+  });
+}
+
+async function createDataVaultDisabledProject() {
+  await Project.createAndSwitch({
+    config: {
+      magic_link_enabled: true,
+    }
+  });
+  // Don't configure any data vault stores
+}
+
+function hashKey(key: string): string {
+  // we don't actually need to hash the key here, so let's keep it simple
+  return `hashed(${key})`;
+}
+
+it("can store and retrieve values from data vault", async ({ expect }: { expect: any }) => {
+  await createDataVaultEnabledProject();
+  await Auth.Otp.signIn();
+
+  const storeId = "test-store-1";
+  const key = "my-secret-key";
+  const hashedKey = hashKey(key);
+  const encryptedValue = "encrypted-secret-value-123";
+
+  // Store a value
+  const setResponse = await niceBackendFetch(`/api/latest/data-vault/stores/${storeId}/set`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey,
+      encrypted_value: encryptedValue,
+    },
+  });
+
+  expect(setResponse.status).toBe(200);
+  expect(setResponse.body).toMatchObject({
+    success: true,
+  });
+
+  // Retrieve the value
+  const getResponse = await niceBackendFetch(`/api/latest/data-vault/stores/${storeId}/get`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey,
+    },
+  });
+
+  expect(getResponse.status).toBe(200);
+  expect(getResponse.body).toMatchObject({
+    encrypted_value: encryptedValue,
+  });
+});
+
+it("can update existing values in data vault", async ({ expect }: { expect: any }) => {
+  await createDataVaultEnabledProject();
+  await Auth.Otp.signIn();
+
+  const storeId = "test-store-update";
+  const key = "update-key";
+  const hashedKey = hashKey(key);
+  const firstValue = "first-value";
+  const updatedValue = "updated-value";
+
+  // Store initial value
+  const firstSetResponse = await niceBackendFetch(`/api/latest/data-vault/stores/${storeId}/set`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey,
+      encrypted_value: firstValue,
+    },
+  });
+
+  expect(firstSetResponse.status).toBe(200);
+  const firstId = firstSetResponse.body.id;
+
+  // Update the value
+  const updateResponse = await niceBackendFetch(`/api/latest/data-vault/stores/${storeId}/set`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey,
+      encrypted_value: updatedValue,
+    },
+  });
+
+  expect(updateResponse.status).toBe(200);
+  // ID should remain the same when updating
+  expect(updateResponse.body.id).toBe(firstId);
+
+  // Verify the updated value
+  const getResponse = await niceBackendFetch(`/api/latest/data-vault/stores/${storeId}/get`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey,
+    },
+  });
+
+  expect(getResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 200,
+      "body": { "encrypted_value": "updated-value" },
+      "headers": Headers { <some fields may have been hidden> },
+    }
+  `);
+});
+
+it("returns 400 when trying to get non-existent value", async ({ expect }: { expect: any }) => {
+  await createDataVaultEnabledProject();
+  await Auth.Otp.signIn();
+
+  const storeId = "test-store-404";
+  const hashedKey = hashKey("non-existent-key");
+
+  const getResponse = await niceBackendFetch(`/api/latest/data-vault/stores/${storeId}/get`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey,
+    },
+  });
+
+  expect(getResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": {
+        "code": "DATA_VAULT_STORE_HASHED_KEY_DOES_NOT_EXIST",
+        "details": {
+          "hashed_key": "hashed(non-existent-key)",
+          "store_id": "test-store-404",
+        },
+        "error": "Data vault store with ID test-store-404 does not contain a key with hash hashed(non-existent-key).",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "DATA_VAULT_STORE_HASHED_KEY_DOES_NOT_EXIST",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
+
+it("validates required fields", async ({ expect }: { expect: any }) => {
+  await createDataVaultEnabledProject();
+  await Auth.Otp.signIn();
+
+  // Test empty store ID (by using spaces which get trimmed)
+  const emptyStoreResponse = await niceBackendFetch(`/api/latest/data-vault/stores/${encodeURIComponent("  ")}/set`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: "valid-hash",
+      encrypted_value: "valid-value",
+    },
+  });
+
+  expect(emptyStoreResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": {
+        "code": "DATA_VAULT_STORE_DOES_NOT_EXIST",
+        "details": { "store_id": "  " },
+        "error": "Data vault store with ID    does not exist.",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "DATA_VAULT_STORE_DOES_NOT_EXIST",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+
+  // Test empty hashed key
+  const emptyHashResponse = await niceBackendFetch(`/api/latest/data-vault/stores/valid-store/set`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: "",
+      encrypted_value: "valid-value",
+    },
+  });
+
+  expect(emptyHashResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": {
+        "code": "SCHEMA_ERROR",
+        "details": {
+          "message": deindent\`
+            Request validation failed on POST /api/latest/data-vault/stores/valid-store/set:
+              - body.hashed_key must not be empty
+          \`,
+        },
+        "error": deindent\`
+          Request validation failed on POST /api/latest/data-vault/stores/valid-store/set:
+            - body.hashed_key must not be empty
+        \`,
+      },
+      "headers": Headers {
+        "x-stack-known-error": "SCHEMA_ERROR",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+
+  // Test empty encrypted value
+  const emptyValueResponse = await niceBackendFetch(`/api/latest/data-vault/stores/test-store-1/set`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: "valid-hash",
+      encrypted_value: "",
+    },
+  });
+
+  expect(emptyValueResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 200,
+      "body": { "success": true },
+      "headers": Headers { <some fields may have been hidden> },
+    }
+  `);
+
+  // Test empty hashed key for get
+  const getEmptyHashResponse = await niceBackendFetch(`/api/latest/data-vault/stores/valid-store/get`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: "",
+    },
+  });
+
+  expect(getEmptyHashResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": {
+        "code": "SCHEMA_ERROR",
+        "details": {
+          "message": deindent\`
+            Request validation failed on POST /api/latest/data-vault/stores/valid-store/get:
+              - body.hashed_key must not be empty
+          \`,
+        },
+        "error": deindent\`
+          Request validation failed on POST /api/latest/data-vault/stores/valid-store/get:
+            - body.hashed_key must not be empty
+        \`,
+      },
+      "headers": Headers {
+        "x-stack-known-error": "SCHEMA_ERROR",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
+
+it("isolates data between different stores", async ({ expect }: { expect: any }) => {
+  await createDataVaultEnabledProject();
+  await Auth.Otp.signIn();
+
+  const key = "shared-key";
+  const hashedKey = hashKey(key);
+  const store1Id = "store-1";
+  const store2Id = "store-2";
+  const value1 = "value-for-store-1";
+  const value2 = "value-for-store-2";
+
+  // Set value in store 1
+  await niceBackendFetch(`/api/latest/data-vault/stores/${store1Id}/set`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey,
+      encrypted_value: value1,
+    },
+  });
+
+  // Set value in store 2 with same key
+  await niceBackendFetch(`/api/latest/data-vault/stores/${store2Id}/set`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey,
+      encrypted_value: value2,
+    },
+  });
+
+  // Get from store 1
+  const getStore1Response = await niceBackendFetch(`/api/latest/data-vault/stores/${store1Id}/get`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey,
+    },
+  });
+
+  expect(getStore1Response.status).toBe(200);
+  expect(getStore1Response.body.encrypted_value).toBe(value1);
+
+  // Get from store 2
+  const getStore2Response = await niceBackendFetch(`/api/latest/data-vault/stores/${store2Id}/get`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey,
+    },
+  });
+
+  expect(getStore2Response.status).toBe(200);
+  expect(getStore2Response.body.encrypted_value).toBe(value2);
+});
+
+it("handles multiple keys in the same store", async ({ expect }: { expect: any }) => {
+  await createDataVaultEnabledProject();
+  await Auth.Otp.signIn();
+
+  const storeId = "multi-key-store";
+  const key1 = "key-1";
+  const key2 = "key-2";
+  const hashedKey1 = hashKey(key1);
+  const hashedKey2 = hashKey(key2);
+  const value1 = "value-1";
+  const value2 = "value-2";
+
+  // Set first key-value pair
+  await niceBackendFetch(`/api/latest/data-vault/stores/${storeId}/set`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey1,
+      encrypted_value: value1,
+    },
+  });
+
+  // Set second key-value pair
+  await niceBackendFetch(`/api/latest/data-vault/stores/${storeId}/set`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey2,
+      encrypted_value: value2,
+    },
+  });
+
+  // Get first value
+  const getResponse1 = await niceBackendFetch(`/api/latest/data-vault/stores/${storeId}/get`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey1,
+    },
+  });
+
+  expect(getResponse1.status).toBe(200);
+  expect(getResponse1.body.encrypted_value).toBe(value1);
+
+  // Get second value
+  const getResponse2 = await niceBackendFetch(`/api/latest/data-vault/stores/${storeId}/get`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey2,
+    },
+  });
+
+  expect(getResponse2.status).toBe(200);
+  expect(getResponse2.body.encrypted_value).toBe(value2);
+});
+
+it("requires authentication", async ({ expect }: { expect: any }) => {
+  await createDataVaultEnabledProject();
+  // Don't sign in
+
+  const storeId = "auth-test-store";
+  const hashedKey = hashKey("test-key");
+
+  // Try to set without auth
+  const setResponse = await niceBackendFetch(`/api/latest/data-vault/stores/${storeId}/set`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey,
+      encrypted_value: "test-value",
+    },
+  });
+
+  expect(setResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 200,
+      "body": { "success": true },
+      "headers": Headers { <some fields may have been hidden> },
+    }
+  `);
+
+  // Try to get without auth
+  const getResponse = await niceBackendFetch(`/api/latest/data-vault/stores/${storeId}/get`, {
+    method: "POST",
+    accessType: "server",
+    body: {
+      hashed_key: hashedKey,
+    },
+  });
+
+  expect(getResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 200,
+      "body": { "encrypted_value": "test-value" },
+      "headers": Headers { <some fields may have been hidden> },
+    }
+  `);
+});
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/internal-metrics.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/internal-metrics.test.ts
index 6744a4ba98..efc718c648 100644
--- a/apps/e2e/tests/backend/endpoints/api/v1/internal-metrics.test.ts
+++ b/apps/e2e/tests/backend/endpoints/api/v1/internal-metrics.test.ts
@@ -7,7 +7,7 @@ async function ensureAnonymousUsersAreStillExcluded(metricsResponse: NiceRespons
   for (let i = 0; i < 2; i++) {
     await Auth.Anonymous.signUp();
   }
-  await wait(1000);
+  await wait(2000); // the event log is async, so let's give it some time to be written to the DB
   const response = await niceBackendFetch("/api/v1/internal/metrics", { accessType: 'admin' });
   expect(response.body).toEqual(metricsResponse.body);
 }
@@ -125,7 +125,7 @@ it("should exclude anonymous users from metrics", async ({ expect }) => {
     await Auth.Anonymous.signUp();
   }
 
-  await wait(1000);  // the event log is async, so let's give it some time to be written to the DB
+  await wait(3000);  // the event log is async, so let's give it some time to be written to the DB
 
   const response = await niceBackendFetch("/api/v1/internal/metrics", { accessType: 'admin' });
   expect(beforeMetrics.body).toEqual(response.body);
diff --git a/apps/e2e/tests/js/data-vault.test.ts b/apps/e2e/tests/js/data-vault.test.ts
new file mode 100644
index 0000000000..cdf3a2d09e
--- /dev/null
+++ b/apps/e2e/tests/js/data-vault.test.ts
@@ -0,0 +1,290 @@
+import { StackServerApp } from '@stackframe/js';
+import { beforeAll, describe, expect } from 'vitest';
+import { it } from '../helpers';
+import { createApp } from './js-helpers';
+
+describe('Data Vault Server Functions', () => {
+  let serverApp: StackServerApp;
+  let projectId: string;
+  const testSecret = "test-secret";
+
+  beforeAll(async () => {
+    const { serverApp: app, adminApp } = await createApp();
+    const project = await adminApp.getProject();
+    await project.updateConfig({
+      [`dataVault.stores.test-store`]: {
+        displayName: 'Test Store',
+      },
+      [`dataVault.stores.api-keys`]: {
+        displayName: 'API Keys',
+      },
+    });
+
+    projectId = project.id;
+    serverApp = app;
+  }, 30_000);
+
+  describe('getDataVaultStore', () => {
+    it('should get a data vault store instance', async () => {
+      const vault = await serverApp.getDataVaultStore('test-store');
+      expect(vault).toBeDefined();
+      expect(vault).toHaveProperty('getValue');
+      expect(vault).toHaveProperty('setValue');
+    });
+
+    it.todo('should throw error for non-existent store', async () => {
+      // TODO: implement this
+      await expect(
+        serverApp.getDataVaultStore('non-existent-store')
+      ).rejects.toThrow();
+    });
+  });
+
+  describe('setValue and getValue', () => {
+    it('should store and retrieve a simple string value', async () => {
+      const vault = await serverApp.getDataVaultStore('test-store');
+      const key = `test-key-${Date.now()}`;
+      const value = 'test-value-123';
+
+      // Store the value
+      await vault.setValue(key, value, { secret: testSecret });
+
+      // Retrieve the value
+      const retrievedValue = await vault.getValue(key, { secret: testSecret });
+      expect(retrievedValue).toBe(value);
+    });
+
+    it('should store and retrieve JSON data', async () => {
+      const vault = await serverApp.getDataVaultStore('test-store');
+      const key = `json-key-${Date.now()}`;
+      const data = {
+        apiKey: 'sk_test_123456',
+        apiSecret: 'secret_789',
+        metadata: {
+          createdAt: new Date().toISOString(),
+          environment: 'test',
+        },
+      };
+      const value = JSON.stringify(data);
+
+      // Store the JSON
+      await vault.setValue(key, value, { secret: testSecret });
+
+      // Retrieve and parse the JSON
+      const retrievedValue = await vault.getValue(key, { secret: testSecret });
+      expect(retrievedValue).toBe(value);
+      expect(JSON.parse(retrievedValue!)).toEqual(data);
+    });
+
+    it('should return null for non-existent key', async () => {
+      const vault = await serverApp.getDataVaultStore('test-store');
+      const key = `non-existent-key-${Date.now()}`;
+
+      const value = await vault.getValue(key, { secret: testSecret });
+      expect(value).toBeNull();
+    });
+
+    it('should handle large values', async () => {
+      const vault = await serverApp.getDataVaultStore('test-store');
+      const key = `large-value-key-${Date.now()}`;
+      // Create a large string (1MB)
+      const largeValue = 'x'.repeat(1024 * 1024);
+
+      await vault.setValue(key, largeValue, { secret: testSecret });
+      const retrievedValue = await vault.getValue(key, { secret: testSecret });
+
+      expect(retrievedValue).toBe(largeValue);
+    });
+
+    it('should return null when using wrong secret', async () => {
+      const vault = await serverApp.getDataVaultStore('test-store');
+      const key = `wrong-secret-key-${Date.now()}`;
+      const value = 'sensitive-data';
+      const wrongSecret = 'wrong-secret';
+
+      // Store with correct secret
+      await vault.setValue(key, value, { secret: testSecret });
+
+      // Try to retrieve with wrong secret
+      const retrievedValue = await vault.getValue(key, { secret: wrongSecret });
+      expect(retrievedValue).toBeNull();
+    });
+
+    it('should isolate data between stores', async () => {
+      const vault1 = await serverApp.getDataVaultStore('test-store');
+      const vault2 = await serverApp.getDataVaultStore('api-keys');
+      const key = `shared-key-${Date.now()}`;
+      const value1 = 'value-in-store-1';
+      const value2 = 'value-in-store-2';
+
+      // Store different values with same key in different stores
+      await vault1.setValue(key, value1, { secret: testSecret });
+      await vault2.setValue(key, value2, { secret: testSecret });
+
+      // Retrieve from each store
+      const retrieved1 = await vault1.getValue(key, { secret: testSecret });
+      const retrieved2 = await vault2.getValue(key, { secret: testSecret });
+
+      expect(retrieved1).toBe(value1);
+      expect(retrieved2).toBe(value2);
+      expect(retrieved1).not.toBe(retrieved2);
+    });
+
+    it('should overwrite existing value', async () => {
+      const vault = await serverApp.getDataVaultStore('test-store');
+      const key = `overwrite-key-${Date.now()}`;
+      const originalValue = 'original-value';
+      const newValue = 'new-value';
+
+      // Store original value
+      await vault.setValue(key, originalValue, { secret: testSecret });
+      let retrieved = await vault.getValue(key, { secret: testSecret });
+      expect(retrieved).toBe(originalValue);
+
+      // Overwrite with new value
+      await vault.setValue(key, newValue, { secret: testSecret });
+      retrieved = await vault.getValue(key, { secret: testSecret });
+      expect(retrieved).toBe(newValue);
+    });
+  });
+
+  describe('Special characters and edge cases', () => {
+    it('should handle special characters in keys', async () => {
+      const vault = await serverApp.getDataVaultStore('test-store');
+      const specialKeys = [
+        `key-with-spaces ${Date.now()}`,
+        `key:with:colons:${Date.now()}`,
+        `key/with/slashes/${Date.now()}`,
+        `key.with.dots.${Date.now()}`,
+        `key_with_underscores_${Date.now()}`,
+        `key-with-unicode-😀-${Date.now()}`,
+      ];
+
+      for (const key of specialKeys) {
+        const value = `value-for-${key}`;
+        await vault.setValue(key, value, { secret: testSecret });
+        const retrieved = await vault.getValue(key, { secret: testSecret });
+        expect(retrieved).toBe(value);
+      }
+    });
+
+    it('should handle special characters in values', async () => {
+      const vault = await serverApp.getDataVaultStore('test-store');
+      const key = `special-value-key-${Date.now()}`;
+      const specialValues = [
+        'value with spaces',
+        'value\nwith\nnewlines',
+        'value\twith\ttabs',
+        'value with "quotes"',
+        "value with 'single quotes'",
+        'value with unicode: 🔐 🗝️ 🔒',
+        '{"json": "with special chars: \n\t\r"}',
+        '<html><body>HTML content</body></html>',
+      ];
+
+      for (const value of specialValues) {
+        const uniqueKey = `${key}-${specialValues.indexOf(value)}`;
+        await vault.setValue(uniqueKey, value, { secret: testSecret });
+        const retrieved = await vault.getValue(uniqueKey, { secret: testSecret });
+        expect(retrieved).toBe(value);
+      }
+    });
+
+    it('should handle empty string values', async () => {
+      const vault = await serverApp.getDataVaultStore('test-store');
+      const key = `empty-value-key-${Date.now()}`;
+
+      await vault.setValue(key, '', { secret: testSecret });
+      const retrieved = await vault.getValue(key, { secret: testSecret });
+      expect(retrieved).toBe('');
+    });
+
+    it('should handle very long keys', async () => {
+      const vault = await serverApp.getDataVaultStore('test-store');
+      // Create a 1000 character key
+      const longKey = 'k'.repeat(1000) + Date.now();
+      const value = 'value-for-long-key';
+
+      await vault.setValue(longKey, value, { secret: testSecret });
+      const retrieved = await vault.getValue(longKey, { secret: testSecret });
+      expect(retrieved).toBe(value);
+    });
+  });
+
+  describe('Secret validation', () => {
+    it('should require a secret', async () => {
+      const vault = await serverApp.getDataVaultStore('test-store');
+      const key = `no-secret-key-${Date.now()}`;
+
+      // @ts-expect-error - Testing missing secret
+      await expect(vault.setValue(key, 'value', {})).rejects.toThrow();
+
+      // @ts-expect-error - Testing missing secret
+      await expect(vault.getValue(key, {})).rejects.toThrow();
+    });
+
+    it('should work with different secret formats', async () => {
+      const vault = await serverApp.getDataVaultStore('test-store');
+      const secrets = [
+        'simple-string-secret',
+        '',
+        ' ∫√',
+        'a'.repeat(256), // Very long secret
+      ];
+
+      for (const secret of secrets) {
+        const key = `secret-format-key-${Date.now()}-${secrets.indexOf(secret)}`;
+        const value = `value-for-secret-${secrets.indexOf(secret)}`;
+
+        await vault.setValue(key, value, { secret });
+        const retrieved = await vault.getValue(key, { secret });
+        expect(retrieved).toBe(value);
+      }
+    });
+  });
+
+  describe('Concurrent operations', () => {
+    it('should handle concurrent writes to different keys', async () => {
+      const vault = await serverApp.getDataVaultStore('test-store');
+      const operations = [];
+
+      for (let i = 0; i < 10; i++) {
+        const key = `concurrent-key-${i}`;
+        const value = `concurrent-value-${i}`;
+        operations.push(vault.setValue(key, value, { secret: testSecret }));
+      }
+
+      await Promise.all(operations);
+
+      // Verify all values were stored correctly
+      for (let i = 0; i < 10; i++) {
+        const key = `concurrent-key-${i}`;
+        const expectedValue = `concurrent-value-${i}`;
+        const retrieved = await vault.getValue(key, { secret: testSecret });
+        expect(retrieved).toBe(expectedValue);
+      }
+    });
+
+    it('should handle concurrent reads', async () => {
+      const vault = await serverApp.getDataVaultStore('test-store');
+      const key = `concurrent-read-key`;
+      const value = 'concurrent-read-value';
+
+      // Store a value
+      await vault.setValue(key, value, { secret: testSecret });
+
+      // Perform concurrent reads
+      const readOperations = [];
+      for (let i = 0; i < 10; i++) {
+        readOperations.push(vault.getValue(key, { secret: testSecret }));
+      }
+
+      const results = await Promise.all(readOperations);
+
+      // All reads should return the same value
+      results.forEach(result => {
+        expect(result).toBe(value);
+      });
+    });
+  });
+});
diff --git a/docker/dependencies/docker.compose.yaml b/docker/dependencies/docker.compose.yaml
index 5b3112bf64..f50a99f11b 100644
--- a/docker/dependencies/docker.compose.yaml
+++ b/docker/dependencies/docker.compose.yaml
@@ -151,6 +151,21 @@ services:
       interval: 30s
       timeout: 10s
       retries: 3
+
+
+  # ================= LocalStack =================
+  localstack:
+    image: localstack/localstack:4.7
+    ports:
+      - "8124:4566"            # LocalStack Gateway
+      - "8150-8199:4510-4559"  # external services port range
+    environment:
+      # LocalStack configuration: https://docs.localstack.cloud/references/configuration/
+      - DEBUG=${DEBUG:-0}
+    volumes:
+      - localstack-data:/var/lib/localstack
+      - "/var/run/docker.sock:/var/run/docker.sock"
+
   # ================= Freestyle mock =================
 
   freestyle-mock:
@@ -185,6 +200,7 @@ volumes:
   svix-postgres-data:
   s3mock-data:
   deno-cache:
+  localstack-data:
 
 # ================= configs =================
 
diff --git a/packages/stack-shared/package.json b/packages/stack-shared/package.json
index 36c5397114..c161641162 100644
--- a/packages/stack-shared/package.json
+++ b/packages/stack-shared/package.json
@@ -53,6 +53,7 @@
     }
   },
   "dependencies": {
+    "@aws-sdk/client-kms": "^3.876.0",
     "@opentelemetry/api": "^1.9.0",
     "@simplewebauthn/browser": "^11.0.0",
     "async-mutex": "^0.5.0",
diff --git a/packages/stack-shared/src/config/schema.ts b/packages/stack-shared/src/config/schema.ts
index 4f46e1d5a3..50ef6db64f 100644
--- a/packages/stack-shared/src/config/schema.ts
+++ b/packages/stack-shared/src/config/schema.ts
@@ -165,6 +165,15 @@ export const branchConfigSchema = canNoLongerBeOverridden(projectConfigSchema, [
   }),
 
   payments: branchPaymentsSchema,
+
+  dataVault: yupObject({
+    stores: yupRecord(
+      yupString(),
+      yupObject({
+        displayName: yupString(),
+      }),
+    ),
+  }),
 }));
 
 
@@ -474,7 +483,13 @@ const organizationConfigDefaults = {
     items: (key: string) => ({
       displayName: key,
       customerType: "user",
-    } as const),
+    } as const)
+  },
+
+  dataVault: {
+    stores: (key: string) => ({
+      displayName: "Unnamed Vault",
+    }),
   },
 } as const satisfies DefaultsType<OrganizationRenderedConfigBeforeDefaults, [typeof environmentConfigDefaults, typeof branchConfigDefaults, typeof projectConfigDefaults]>;
 
diff --git a/packages/stack-shared/src/helpers/vault/client-side.ts b/packages/stack-shared/src/helpers/vault/client-side.ts
new file mode 100644
index 0000000000..e5c62e87d3
--- /dev/null
+++ b/packages/stack-shared/src/helpers/vault/client-side.ts
@@ -0,0 +1,89 @@
+import { decodeBase64, encodeBase64 } from "../../utils/bytes";
+import { decrypt, encrypt, hash, iteratedHash } from "../../utils/crypto";
+
+const hashPurpose = "stack-data-vault-client-side-encryption-key-hash";
+const encryptionSecretPurpose = "stack-data-vault-client-side-encryption-value-encryption-key-hash";
+const encryptionValuePurpose = "stack-data-vault-client-side-encryption-value-encryption-value-encryption";
+
+
+async function getDerivedKey(secret: string, key: string) {
+  return await iteratedHash({
+    purpose: encryptionSecretPurpose,
+    extra: secret,
+    value: key,
+    iterations: 100_000,
+  });
+}
+
+/**
+ * Use to hash the key so the server cannot infer it.
+ */
+export async function hashKey(secret: string, key: string) {
+  return encodeBase64(await hash({
+    purpose: hashPurpose,
+    extra: secret,
+    value: await getDerivedKey(secret, key),
+  }));
+}
+
+/**
+ * Use to encrypt the value so that the server cannot read the value without knowing the key.
+ */
+export async function encryptValue(secret: string, key: string, value: string) {
+  const valueEncryptionDerivedKey = await getDerivedKey(secret, key);
+
+  const bytes = await encrypt({
+    purpose: encryptionValuePurpose,
+    secret: valueEncryptionDerivedKey,
+    value: new TextEncoder().encode(value)
+  });
+  return encodeBase64(bytes);
+}
+
+/**
+ * Use to decrypt the value. See encryptValue.
+ */
+export async function decryptValue(secret: string, key: string, encryptedValue: string) {
+  const valueEncryptionDerivedKey = await getDerivedKey(secret, key);
+
+  const bytesResult = await decrypt({
+    purpose: encryptionValuePurpose,
+    secret: valueEncryptionDerivedKey,
+    cipher: decodeBase64(encryptedValue),
+  });
+  if (bytesResult.status === "error") throw new Error("Data vault client-side decryption failed. Are you sure you're using the correct secret?", { cause: bytesResult.error });
+  return new TextDecoder().decode(bytesResult.data);
+}
+
+
+import.meta.vitest?.describe("encryptValue & decryptValue", () => {
+  import.meta.vitest?.it("should encrypt and decrypt a value", async ({ expect }) => {
+    const secret = "test-secret";
+    const value = "test-value";
+    const encrypted = await encryptValue(secret, "key", value);
+    const decrypted = await decryptValue(secret, "key", encrypted);
+    expect(decrypted).toEqual(value);
+  });
+
+  import.meta.vitest?.it("should not decrypt a value with a different secret", async ({ expect }) => {
+    const secret = "test-secret";
+    const value = "test-value";
+    const encrypted = await encryptValue(secret, "key", value);
+    await expect(decryptValue("different-secret", "key", encrypted)).rejects.toThrow();
+  });
+
+  import.meta.vitest?.it("should not decrypt a value with a different key", async ({ expect }) => {
+    const secret = "test-secret";
+    const value = "test-value";
+    const encrypted = await encryptValue(secret, "key", value);
+    await expect(decryptValue(secret, "different-key", encrypted)).rejects.toThrow();
+  });
+
+  import.meta.vitest?.it("should not decrypt a value if the cipher was tampered with", async ({ expect }) => {
+    const secret = "test-secret";
+    const value = "test-value";
+    const encrypted = await encryptValue(secret, "key", value);
+    const tampered = encrypted + "7";
+    await expect(decryptValue(secret, "key", tampered)).rejects.toThrow();
+  });
+});
diff --git a/packages/stack-shared/src/helpers/vault/server-side.ts b/packages/stack-shared/src/helpers/vault/server-side.ts
new file mode 100644
index 0000000000..9185eecefe
--- /dev/null
+++ b/packages/stack-shared/src/helpers/vault/server-side.ts
@@ -0,0 +1,92 @@
+import {
+  CreateAliasCommand,
+  CreateKeyCommand,
+  DecryptCommand,
+  DescribeKeyCommand,
+  GenerateDataKeyCommand,
+  KMSClient
+} from "@aws-sdk/client-kms";
+import { decodeBase64, encodeBase64 } from "../../utils/bytes";
+import { decrypt, encrypt } from "../../utils/crypto";
+import { getEnvVariable } from "../../utils/env";
+import { Result } from "../../utils/results";
+
+function getKmsClient() {
+  return new KMSClient({
+    region: getEnvVariable("STACK_AWS_REGION"),
+    endpoint: getEnvVariable("STACK_AWS_KMS_ENDPOINT"),
+    credentials: {
+      accessKeyId: getEnvVariable("STACK_AWS_ACCESS_KEY_ID"),
+      secretAccessKey: getEnvVariable("STACK_AWS_SECRET_ACCESS_KEY")
+    }
+  });
+}
+
+async function getOrCreateKekId(): Promise<string> {
+  const id = "alias/stack-data-vault-server-side-kek";
+  const kms = getKmsClient();
+  try {
+    const describeResult = await kms.send(new DescribeKeyCommand({ KeyId: id }));
+    if (describeResult.KeyMetadata?.KeyId) return describeResult.KeyMetadata.KeyId;
+  } catch (e) {
+    if (e instanceof Error && e.name !== "NotFoundException") {
+      throw e;
+    }
+  }
+  const { KeyMetadata } = await kms.send(new CreateKeyCommand({
+    KeyUsage: "ENCRYPT_DECRYPT",
+    Description: "DataVault KEK"
+  }));
+  await kms.send(new CreateAliasCommand({ AliasName: id, TargetKeyId: KeyMetadata!.KeyId! }));
+  return id;
+}
+
+async function genDEK() {
+  const kekId = await getOrCreateKekId();
+  const kms = getKmsClient();
+  const out = await kms.send(new GenerateDataKeyCommand({ KeyId: kekId, KeySpec: "AES_256" }));
+  if (!out.Plaintext || !out.CiphertextBlob) throw new Error("GenerateDataKey failed");
+  return {
+    dekBytes: out.Plaintext,
+    edkBytes: out.CiphertextBlob,
+  };
+}
+
+async function unwrapDEK(edk_b64: string) {
+  const edkBytes = decodeBase64(edk_b64);
+  const kms = getKmsClient();
+  const out = await kms.send(new DecryptCommand({ CiphertextBlob: edkBytes }));
+  if (!out.Plaintext) throw new Error("KMS Decrypt failed");
+  return {
+    dekBytes: out.Plaintext,
+    edkBytes,
+  };
+}
+
+export async function encryptWithKms(value: string) {
+  const { dekBytes, edkBytes } = await genDEK();
+  try {
+    const ciphertext = await encrypt({
+      purpose: "stack-data-vault-server-side-encryption",
+      secret: dekBytes,
+      value: new TextEncoder().encode(value),
+    });
+    return { edkBase64: encodeBase64(edkBytes), ciphertextBase64: encodeBase64(ciphertext) };
+  } finally {
+    dekBytes.fill(0);
+  }
+}
+
+export async function decryptWithKms(encrypted: Awaited<ReturnType<typeof encryptWithKms>>) {
+  const { dekBytes } = await unwrapDEK(encrypted.edkBase64);
+  try {
+    const value = Result.orThrow(await decrypt({
+      purpose: "stack-data-vault-server-side-encryption",
+      secret: dekBytes,
+      cipher: decodeBase64(encrypted.ciphertextBase64),
+    }));
+    return new TextDecoder().decode(value);
+  } finally {
+    dekBytes.fill(0);
+  }
+}
diff --git a/packages/stack-shared/src/interface/server-interface.ts b/packages/stack-shared/src/interface/server-interface.ts
index 3ceaebb946..4f70954867 100644
--- a/packages/stack-shared/src/interface/server-interface.ts
+++ b/packages/stack-shared/src/interface/server-interface.ts
@@ -1,3 +1,4 @@
+import { decryptValue, encryptValue, hashKey } from "../helpers/vault/client-side";
 import { KnownErrors } from "../known-errors";
 import { AccessToken, InternalSession, RefreshToken } from "../sessions";
 import { StackAssertionError } from "../utils/errors";
@@ -872,4 +873,43 @@ export class StackServerInterface extends StackClientInterface {
       null
     );
   }
+
+  async getDataVaultStoreValue(secret: string, storeId: string, key: string) {
+    const hashedKey = await hashKey(secret, key);
+    const response = await this.sendServerRequestAndCatchKnownError(
+      `/data-vault/stores/${storeId}/get`,
+      {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ hashed_key: hashedKey }),
+      },
+      null,
+      [KnownErrors.DataVaultStoreHashedKeyDoesNotExist] as const,
+    );
+    if (response.status === "error") {
+      if (KnownErrors.DataVaultStoreHashedKeyDoesNotExist.isInstance(response.error)) {
+        return null;
+      } else {
+        throw new StackAssertionError("Unexpected uncaught error", { cause: response.error });
+      }
+    }
+    const json = await response.data.json();
+    const encryptedValue = json.encrypted_value;
+    if (typeof encryptedValue !== "string") throw new StackAssertionError("encrypted_value is not a string", { type: typeof encryptedValue });
+    return await decryptValue(secret, key, encryptedValue);
+  }
+
+  async setDataVaultStoreValue(secret: string, storeId: string, key: string, value: string) {
+    const hashedKey = await hashKey(secret, key);
+    const encryptedValue = await encryptValue(secret, key, value);
+    await this.sendServerRequest(
+      `/data-vault/stores/${storeId}/set`,
+      {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ hashed_key: hashedKey, encrypted_value: encryptedValue }),
+      },
+      null,
+    );
+  }
 }
diff --git a/packages/stack-shared/src/known-errors.tsx b/packages/stack-shared/src/known-errors.tsx
index 10c0a73c59..33ee05d529 100644
--- a/packages/stack-shared/src/known-errors.tsx
+++ b/packages/stack-shared/src/known-errors.tsx
@@ -710,6 +710,32 @@ const PasswordAuthenticationNotEnabled = createKnownErrorConstructor(
   () => [] as const,
 );
 
+const DataVaultStoreDoesNotExist = createKnownErrorConstructor(
+  KnownError,
+  "DATA_VAULT_STORE_DOES_NOT_EXIST",
+  (storeId: string) => [
+    400,
+    `Data vault store with ID ${storeId} does not exist.`,
+    {
+      store_id: storeId,
+    },
+  ] as const,
+  (json: any) => [json.store_id] as const,
+);
+
+const DataVaultStoreHashedKeyDoesNotExist = createKnownErrorConstructor(
+  KnownError,
+  "DATA_VAULT_STORE_HASHED_KEY_DOES_NOT_EXIST",
+  (storeId: string, hashedKey: string) => [
+    400,
+    `Data vault store with ID ${storeId} does not contain a key with hash ${hashedKey}.`,
+    {
+      store_id: storeId,
+      hashed_key: hashedKey,
+    },
+  ] as const,
+  (json: any) => [json.store_id, json.hashed_key] as const,
+);
 
 const PasskeyAuthenticationNotEnabled = createKnownErrorConstructor(
   KnownError,
@@ -1644,6 +1670,8 @@ export const KnownErrors = {
   OfferCustomerTypeDoesNotMatch,
   ItemQuantityInsufficientAmount,
   StripeAccountInfoNotFound,
+  DataVaultStoreDoesNotExist,
+  DataVaultStoreHashedKeyDoesNotExist,
 } satisfies Record<string, KnownErrorConstructor<any, any>>;
 
 
diff --git a/packages/stack-shared/src/utils/bytes.tsx b/packages/stack-shared/src/utils/bytes.tsx
index 4ab232aebd..89125e9c68 100644
--- a/packages/stack-shared/src/utils/bytes.tsx
+++ b/packages/stack-shared/src/utils/bytes.tsx
@@ -112,9 +112,7 @@ import.meta.vitest?.test("decodeBase32", ({ expect }) => {
 });
 
 export function encodeBase64(input: Uint8Array): string {
-  const res = btoa(String.fromCharCode(...input));
-
-  return res;
+  return btoa([...input].map((b) => String.fromCharCode(b)).join(""));
 }
 
 export function decodeBase64(input: string): Uint8Array {
@@ -126,17 +124,49 @@ import.meta.vitest?.test("encodeBase64/decodeBase64", ({ expect }) => {
     { input: new Uint8Array([0, 1, 2, 3, 4]), expected: "AAECAwQ=" },
     { input: new Uint8Array([255, 254, 253, 252]), expected: "//79/A==" },
     { input: new Uint8Array([]), expected: "" },
+    {
+      input: (() => {
+        // make sure huge inputs are supported; 48MB array of every possible triple-byte combination
+        const input = new Uint8Array(3 * (2 ** 24));
+        for (let i = 0; i < input.length / 3; i++) {
+          input[3 * i] = Math.floor(i / 256 / 256);
+          input[3 * i + 1] = Math.floor(i / 256) % 256;
+          input[3 * i + 2] = i % 256;
+        }
+        return input;
+      })(),
+      expected: (() => {
+        const base64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+        const output = [];
+        for (let i = 0; i < 2 ** 24; i++) {
+          output.push(
+            base64Alphabet[Math.floor(i / 64 / 64 / 64)]
+              + base64Alphabet[Math.floor(i / 64 / 64) % 64]
+              + base64Alphabet[Math.floor(i / 64) % 64]
+              + base64Alphabet[i % 64]
+          );
+        }
+        return output.join("");
+      })(),
+    },
   ];
 
-  for (const { input, expected } of testCases) {
+  for (const [i, { input, expected }] of testCases.entries()) {
+    // expect(...) is pretty slow with long inputs, so we throw our own assertions
     const encoded = encodeBase64(input);
-    expect(encoded).toBe(expected);
+    if (encoded !== expected) {
+      throw new StackAssertionError(`encodeBase64 test case ${i} failed`);
+    }
     const decoded = decodeBase64(encoded);
-    expect(decoded).toEqual(input);
+    if (decoded.some((b, i) => b !== input[i])) {
+      throw new StackAssertionError(`decodeBase64 test case ${i} failed`);
+    }
   }
 
   // Test invalid input for decodeBase64
   expect(() => decodeBase64("invalid!")).toThrow();
+}, {
+  timeout: 30000,
 });
 
 export function encodeBase64Url(input: Uint8Array): string {
diff --git a/packages/stack-shared/src/utils/crypto.tsx b/packages/stack-shared/src/utils/crypto.tsx
index 2318a6d02e..2e7895605b 100644
--- a/packages/stack-shared/src/utils/crypto.tsx
+++ b/packages/stack-shared/src/utils/crypto.tsx
@@ -1,6 +1,7 @@
-import { encodeBase32 } from "./bytes";
+import { encodeBase32, encodeBase64 } from "./bytes";
 import { StackAssertionError } from "./errors";
 import { globalVar } from "./globals";
+import { Result } from "./results";
 
 export function generateRandomValues(array: Uint8Array): typeof array {
   if (!globalVar.crypto) {
@@ -23,3 +24,143 @@ export function generateSecureRandomString(minBitsOfEntropy: number = 224) {
   const str = encodeBase32(randomBytes);
   return str.slice(str.length - base32CharactersCount).toLowerCase();
 }
+
+async function getDerivedSymmetricKey(purpose: string, secret: string | Uint8Array, salt: Uint8Array) {
+  const originalSecretKey = await crypto.subtle.importKey("raw", typeof secret === "string" ? new TextEncoder().encode(secret) : secret, "HKDF", false, ["deriveKey"]);
+  return await crypto.subtle.deriveKey(
+    {
+      name: "HKDF",
+      salt,
+      hash: "SHA-256",
+      info: new TextEncoder().encode(JSON.stringify([
+        "stack-crypto-helper-derived-symmetric-key",
+        purpose,
+        typeof secret === "string" ? "string-key" : "binary-key",
+        encodeBase64(salt),
+      ])),
+    },
+    originalSecretKey,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+
+export async function encrypt({ purpose, secret, value }: { purpose: string, secret: string | Uint8Array, value: Uint8Array }) {
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const salt = crypto.getRandomValues(new Uint8Array(16));
+  const derivedSecretKey = await getDerivedSymmetricKey(purpose, secret, salt);
+
+  const cipher = await crypto.subtle.encrypt({
+    name: "AES-GCM",
+    iv,
+  }, derivedSecretKey, value);
+
+  const version = [0x01, 0x00];
+  return new Uint8Array([...version, ...salt, ...iv, ...new Uint8Array(cipher)]);
+}
+
+export async function decrypt({ purpose, secret, cipher }: { purpose: string, secret: string | Uint8Array, cipher: Uint8Array }) {
+  const version = cipher.slice(0, 2);
+  if (version[0] !== 0x01 || version[1] !== 0x00) throw new StackAssertionError("Invalid ciphertext version in decrypt(...); expected 0x0100", { purpose });
+  const salt = cipher.slice(2, 18);
+  const iv = cipher.slice(18, 30);
+  const cipherBytes = cipher.slice(30);
+  const derivedSecretKey = await getDerivedSymmetricKey(purpose, secret, salt);
+
+  try {
+    const plaintext = await crypto.subtle.decrypt({
+      name: "AES-GCM",
+      iv,
+    }, derivedSecretKey, cipherBytes);
+    return Result.ok(new Uint8Array(plaintext));
+  } catch (e) {
+    if (e instanceof DOMException && e.name === "OperationError") {
+      return Result.error(new Error("Invalid ciphertext or secret when decrypting encrypted value", { cause: e }));
+    }
+    throw e;
+  }
+}
+
+import.meta.vitest?.test("encrypt & decrypt", async ({ expect }) => {
+  const encryptAndDecrypt = async (encryptPurpose: string, decryptPurpose: string, encryptSecret: string | Uint8Array, decryptSecret: string | Uint8Array, value: Uint8Array) => {
+    const encrypted = await encrypt({ purpose: encryptPurpose, secret: encryptSecret, value });
+    const decrypted = await decrypt({ purpose: decryptPurpose, secret: decryptSecret, cipher: encrypted });
+    return decrypted;
+  };
+
+  const exampleBytes = new TextEncoder().encode("hello");
+
+  const exampleKey1 = crypto.getRandomValues(new Uint8Array(32));
+  const exampleKey2 = crypto.getRandomValues(new Uint8Array(32));
+
+  expect(await encryptAndDecrypt("p", "p", "secret", "secret", exampleBytes)).toEqual(Result.ok(exampleBytes));
+  expect(await encryptAndDecrypt("p", "p", exampleKey1, exampleKey1, exampleBytes)).toEqual(Result.ok(exampleBytes));
+  expect(await encryptAndDecrypt("p", "p", exampleKey1, "secret", exampleBytes)).toEqual(Result.error(expect.objectContaining({ message: "Invalid ciphertext or secret when decrypting encrypted value" })));
+  expect(await encryptAndDecrypt("p", "p", exampleKey1, exampleKey2, exampleBytes)).toEqual(Result.error(expect.objectContaining({ message: "Invalid ciphertext or secret when decrypting encrypted value" })));
+  expect(await encryptAndDecrypt("p", "not-p", exampleKey1, exampleKey1, exampleBytes)).toEqual(Result.error(expect.objectContaining({ message: "Invalid ciphertext or secret when decrypting encrypted value" })));
+});
+
+export type HashOptions = {
+  purpose: string,
+  salt?: string | Uint8Array,
+  extra?: string | Uint8Array,
+  value: string | Uint8Array,
+};
+
+export async function hash(options: HashOptions) {
+  return await iteratedHash({ ...options, iterations: 1 });
+}
+
+export async function iteratedHash(options: HashOptions & { iterations: number }) {
+  const stringOrUint8ArrayToUint8Array = (value: string | Uint8Array) => typeof value === "string" ? new TextEncoder().encode(value) : value;
+  const stringOrUint8ArrayToBase64 = (value: string | Uint8Array) => encodeBase64(stringOrUint8ArrayToUint8Array(value));
+  const input = await crypto.subtle.importKey(
+    "raw",
+    stringOrUint8ArrayToUint8Array(options.value),
+    "PBKDF2",
+    false,
+    ["deriveBits"]
+  );
+  return new Uint8Array(await crypto.subtle.deriveBits({
+    name: "PBKDF2",
+    salt: new TextEncoder().encode(JSON.stringify([
+      "stack-crypto-helper-iterated-hash",
+      options.purpose,
+      stringOrUint8ArrayToBase64(options.salt ?? ""),
+      stringOrUint8ArrayToBase64(options.extra ?? ""),
+    ])),
+    iterations: options.iterations,
+    hash: "SHA-256",
+  }, input, 256));
+}
+
+import.meta.vitest?.test("iteratedHash", async ({ expect }) => {
+  const valueBytes = new TextEncoder().encode("hello");
+  const incrementBytes = new Uint8Array([0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10]);
+
+  const hash = await iteratedHash({ purpose: "purpose", value: valueBytes, iterations: 100_000 });
+  const hash2 = await iteratedHash({ purpose: "purpose", value: valueBytes, iterations: 100_000 });
+  const hashWithDifferentPurpose = await iteratedHash({ purpose: "different-purpose", value: valueBytes, iterations: 100_000 });
+  const hashWithEmptySalt = await iteratedHash({ purpose: "purpose", value: valueBytes, salt: new Uint8Array(0), iterations: 100_000 });
+  const hashWithDifferentSalt = await iteratedHash({ purpose: "purpose", value: valueBytes, salt: incrementBytes, iterations: 100_000 });
+  const hashWithEmptyExtra = await iteratedHash({ purpose: "purpose", value: valueBytes, extra: new Uint8Array(0), iterations: 100_000 });
+  const hashWithDifferentExtra = await iteratedHash({ purpose: "purpose", value: valueBytes, extra: incrementBytes, iterations: 100_000 });
+  const hashWithDifferentValue = await iteratedHash({ purpose: "purpose", value: new TextEncoder().encode("hello2"), iterations: 100_000 });
+  const hashWithDifferentSaltAndExtra = await iteratedHash({ purpose: "purpose", value: valueBytes, salt: incrementBytes, extra: incrementBytes, iterations: 100_000 });
+  const hashWithDifferentIterations = await iteratedHash({ purpose: "purpose", value: valueBytes, iterations: 100_001 });
+
+
+  expect(hash).toEqual(hash2);
+  expect(hash).not.toEqual(hashWithDifferentPurpose);
+  expect(hash).toEqual(hashWithEmptySalt);
+  expect(hash).not.toEqual(hashWithDifferentSalt);
+  expect(hash).toEqual(hashWithEmptyExtra);
+  expect(hash).not.toEqual(hashWithDifferentExtra);
+  expect(hash).not.toEqual(hashWithDifferentValue);
+  expect(hash).not.toEqual(hashWithDifferentIterations);
+
+  expect(hashWithDifferentSalt).not.toEqual(hashWithDifferentExtra);
+  expect(hashWithDifferentSalt).not.toEqual(hashWithDifferentSaltAndExtra);
+  expect(hashWithDifferentExtra).not.toEqual(hashWithDifferentSaltAndExtra);
+});
diff --git a/packages/template/src/lib/stack-app/apps/implementations/server-app-impl.ts b/packages/template/src/lib/stack-app/apps/implementations/server-app-impl.ts
index 2a7a790814..a33bfe72e1 100644
--- a/packages/template/src/lib/stack-app/apps/implementations/server-app-impl.ts
+++ b/packages/template/src/lib/stack-app/apps/implementations/server-app-impl.ts
@@ -23,6 +23,8 @@ import { ApiKey, ApiKeyCreationOptions, ApiKeyUpdateOptions, apiKeyCreationOptio
 import { GetUserOptions, HandlerUrls, OAuthScopesOnSignIn, TokenStoreInit } from "../../common";
 import { OAuthConnection } from "../../connected-accounts";
 import { ServerContactChannel, ServerContactChannelCreateOptions, ServerContactChannelUpdateOptions, serverContactChannelCreateOptionsToCrud, serverContactChannelUpdateOptionsToCrud } from "../../contact-channels";
+import { InlineOffer, ServerItem } from "../../customers";
+import { DataVaultStore } from "../../data-vault";
 import { SendEmailOptions } from "../../email";
 import { NotificationCategory } from "../../notification-categories";
 import { AdminProjectPermissionDefinition, AdminTeamPermission, AdminTeamPermissionDefinition } from "../../permissions";
@@ -31,11 +33,8 @@ import { ProjectCurrentServerUser, ServerUser, ServerUserCreateOptions, ServerUs
 import { StackServerAppConstructorOptions } from "../interfaces/server-app";
 import { _StackClientAppImplIncomplete } from "./client-app-impl";
 import { clientVersion, createCache, createCacheBySession, getBaseUrl, getDefaultProjectId, getDefaultPublishableClientKey, getDefaultSecretServerKey } from "./common";
-import { InlineOffer, ServerItem } from "../../customers";
 
-// IF_PLATFORM react-like
-import { useAsyncCache } from "./common";
-// END_PLATFORM
+import { useAsyncCache } from "./common"; // THIS_LINE_PLATFORM react-like
 
 export class _StackServerAppImplIncomplete<HasTokenStore extends boolean, ProjectId extends string> extends _StackClientAppImplIncomplete<HasTokenStore, ProjectId> {
   declare protected _interface: StackServerInterface;
@@ -130,6 +129,9 @@ export class _StackServerAppImplIncomplete<HasTokenStore extends boolean, Projec
       return await this._interface.listServerNotificationCategories(userId);
     }
   );
+  private readonly _serverDataVaultStoreValueCache = createCache<[string, string, string], string | null>(async ([storeId, key, secret]) => {
+    return await this._interface.getDataVaultStoreValue(secret, storeId, key);
+  });
 
   private readonly _serverUserApiKeysCache = createCache<[string], UserApiKeysCrud['Server']['Read'][]>(
     async ([userId]) => {
@@ -1081,6 +1083,39 @@ export class _StackServerAppImplIncomplete<HasTokenStore extends boolean, Projec
   }
   // END_PLATFORM
 
+  protected _createServerDataVaultStore(id: string): DataVaultStore {
+    const validateOptions = (options: { secret: string }) => {
+      if (typeof options.secret !== "string") throw new Error("secret must be a string, got " + typeof options.secret);
+    };
+    return {
+      id,
+      setValue: async (key, value, options) => {
+        validateOptions(options);
+        await this._interface.setDataVaultStoreValue(options.secret, id, key, value);
+      },
+      getValue: async (key, options) => {
+        validateOptions(options);
+        return Result.orThrow(await this._serverDataVaultStoreValueCache.getOrWait([id, key, options.secret], "write-only"));
+      },
+      // IF_PLATFORM react-like
+      useValue: (key, options) => {
+        validateOptions(options);
+        return useAsyncCache(this._serverDataVaultStoreValueCache, [id, key, options.secret] as const, `app.useDataVaultStoreValue()`);
+      },
+      // END_PLATFORM
+    };
+  }
+
+  async getDataVaultStore(id: string): Promise<DataVaultStore> {
+    return this._createServerDataVaultStore(id);
+  }
+
+  // IF_PLATFORM react-like
+  useDataVaultStore(id: string): DataVaultStore {
+    return useMemo(() => this._createServerDataVaultStore(id), [id]);
+  }
+  // END_PLATFORM
+
   async sendEmail(options: SendEmailOptions): Promise<Result<void, KnownErrors["RequiresCustomEmailServer"] | KnownErrors["SchemaError"] | KnownErrors["UserIdDoesNotExist"]>> {
     return await this._interface.sendEmail(options);
   }
diff --git a/packages/template/src/lib/stack-app/apps/interfaces/server-app.ts b/packages/template/src/lib/stack-app/apps/interfaces/server-app.ts
index 486c0714cc..ce9be05741 100644
--- a/packages/template/src/lib/stack-app/apps/interfaces/server-app.ts
+++ b/packages/template/src/lib/stack-app/apps/interfaces/server-app.ts
@@ -2,6 +2,7 @@ import { KnownErrors } from "@stackframe/stack-shared";
 import { Result } from "@stackframe/stack-shared/dist/utils/results";
 import { AsyncStoreProperty, GetUserOptions } from "../../common";
 import { ServerItem } from "../../customers";
+import { DataVaultStore } from "../../data-vault";
 import { SendEmailOptions } from "../../email";
 import { ServerListUsersOptions, ServerTeam, ServerTeamCreateOptions } from "../../teams";
 import { ProjectCurrentServerUser, ServerUser, ServerUserCreateOptions } from "../../users";
@@ -55,6 +56,7 @@ export type StackServerApp<HasTokenStore extends boolean = boolean, ProjectId ex
   & AsyncStoreProperty<"user", [id: string], ServerUser | null, false>
   & Omit<AsyncStoreProperty<"users", [], ServerUser[], true>, "listUsers" | "useUsers">
   & AsyncStoreProperty<"teams", [], ServerTeam[], true>
+  & AsyncStoreProperty<"dataVaultStore", [id: string], DataVaultStore, false>
   & AsyncStoreProperty<
     "item",
     [{ itemId: string, userId: string } | { itemId: string, teamId: string } | { itemId: string, customCustomerId: string }],
diff --git a/packages/template/src/lib/stack-app/data-vault/index.ts b/packages/template/src/lib/stack-app/data-vault/index.ts
new file mode 100644
index 0000000000..b274ce080f
--- /dev/null
+++ b/packages/template/src/lib/stack-app/data-vault/index.ts
@@ -0,0 +1,8 @@
+import { AsyncStoreProperty } from "../common";
+
+export type DataVaultStore =
+  & {
+    id: string,
+    setValue: (key: string, value: string, options: { secret: string }) => Promise<void>,
+  }
+ & AsyncStoreProperty<"value", [key: string, options: { secret: string }], string | null, false>;
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index eec957d7a5..98e0efa5da 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -179,7 +179,7 @@ importers:
         version: link:../../packages/stack-shared
       '@vercel/functions':
         specifier: ^2.0.0
-        version: 2.0.0(@aws-sdk/credential-provider-web-identity@3.864.0)
+        version: 2.0.0(@aws-sdk/credential-provider-web-identity@3.876.0)
       '@vercel/otel':
         specifier: ^1.10.4
         version: 1.10.4(@opentelemetry/api-logs@0.53.0)(@opentelemetry/api@1.9.0)(@opentelemetry/instrumentation@0.53.0(@opentelemetry/api@1.9.0))(@opentelemetry/resources@1.26.0(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-logs@0.53.0(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-metrics@1.26.0(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-trace-base@1.26.0(@opentelemetry/api@1.9.0))
@@ -1446,6 +1446,9 @@ importers:
 
   packages/stack-shared:
     dependencies:
+      '@aws-sdk/client-kms':
+        specifier: ^3.876.0
+        version: 3.876.0
       '@opentelemetry/api':
         specifier: ^1.9.0
         version: 1.9.0
@@ -1931,6 +1934,10 @@ packages:
   '@aws-crypto/util@5.2.0':
     resolution: {integrity: sha512-4RkU9EsI6ZpBve5fseQlGNUWKMa1RLPQ1dnjnQoe07ldfIzcsGb5hC5W0Dm7u423KWzawlrpbjXBrXCEv9zazQ==}
 
+  '@aws-sdk/client-kms@3.876.0':
+    resolution: {integrity: sha512-BdOiGAtqH1A9u9IQ0QFwUQwyiDlUhCSzM9q4i3ljXk45tYwaAY3ezT07rvIm48AmdmzD/3OPHu2tMdaH2TurPA==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/client-s3@3.864.0':
     resolution: {integrity: sha512-QGYi9bWliewxumsvbJLLyx9WC0a4DP4F+utygBcq0zwPxaM0xDfBspQvP1dsepi7mW5aAjZmJ2+Xb7X0EhzJ/g==}
     engines: {node: '>=18.0.0'}
@@ -1939,38 +1946,74 @@ packages:
     resolution: {integrity: sha512-THiOp0OpQROEKZ6IdDCDNNh3qnNn/kFFaTSOiugDpgcE5QdsOxh1/RXq7LmHpTJum3cmnFf8jG59PHcz9Tjnlw==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/client-sso@3.876.0':
+    resolution: {integrity: sha512-Vf0PMF7HVpvllrfPODnBZmlz6kT/y2AvOt1RQG3+qD0VrHWzShc5nwgRZ+yyP3xkKVhZsQ3sJapfZTFnjqMOYA==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/core@3.864.0':
     resolution: {integrity: sha512-LFUREbobleHEln+Zf7IG83lAZwvHZG0stI7UU0CtwyuhQy5Yx0rKksHNOCmlM7MpTEbSCfntEhYi3jUaY5e5lg==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/core@3.876.0':
+    resolution: {integrity: sha512-sVFBFkdoPOPyY13NaXO1E/R9O5J6ixzHnnRbqrbXYM2QQgLNPTKIiRtmVEuVoFV9YULg+/aKm7caix8m468y9w==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/credential-provider-env@3.864.0':
     resolution: {integrity: sha512-StJPOI2Rt8UE6lYjXUpg6tqSZaM72xg46ljPg8kIevtBAAfdtq9K20qT/kSliWGIBocMFAv0g2mC0hAa+ECyvg==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/credential-provider-env@3.876.0':
+    resolution: {integrity: sha512-cof7lwp2AlrAfRs0pt4W2KMS2VMBvEmpcti1UOFfSJIqkn+cyJliMJ8LHg22GI+kUexjvxdAqSbf3M7OHvEW+w==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/credential-provider-http@3.864.0':
     resolution: {integrity: sha512-E/RFVxGTuGnuD+9pFPH2j4l6HvrXzPhmpL8H8nOoJUosjx7d4v93GJMbbl1v/fkDLqW9qN4Jx2cI6PAjohA6OA==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/credential-provider-http@3.876.0':
+    resolution: {integrity: sha512-wzmef2NBp2+X1l8D4Q8hx1G8oI3+WdvLdPev9VnVpRYZxYGRWVPl++wvCBsCn/ZL0mdWopPkhHA3kFexQhMzvg==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/credential-provider-ini@3.864.0':
     resolution: {integrity: sha512-PlxrijguR1gxyPd5EYam6OfWLarj2MJGf07DvCx9MAuQkw77HBnsu6+XbV8fQriFuoJVTBLn9ROhMr/ROAYfUg==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/credential-provider-ini@3.876.0':
+    resolution: {integrity: sha512-JHbW6fqnJsVjGHCyko7B0NVPT1nEAPxkM3CGjUcVGsHgJBkxOLVCMQqTRyHcDdeHR2qeojlLoOHRz97xIHQjYw==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/credential-provider-node@3.864.0':
     resolution: {integrity: sha512-2BEymFeXURS+4jE9tP3vahPwbYRl0/1MVaFZcijj6pq+nf5EPGvkFillbdBRdc98ZI2NedZgSKu3gfZXgYdUhQ==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/credential-provider-node@3.876.0':
+    resolution: {integrity: sha512-eHbNt1+Hi43e8ANnwf6toapLSxfMiyGq459y3Uh6i7NBOiWWKEsOVcgOfUC3RCoqeikxovt1tFM2cEElWUIOhg==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/credential-provider-process@3.864.0':
     resolution: {integrity: sha512-Zxnn1hxhq7EOqXhVYgkF4rI9MnaO3+6bSg/tErnBQ3F8kDpA7CFU24G1YxwaJXp2X4aX3LwthefmSJHwcVP/2g==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/credential-provider-process@3.876.0':
+    resolution: {integrity: sha512-SMX4OlHvspu3gF4hxe7WAnZFhxpiCye+WlBSVoWfW/i9XNhtrZS1JMr29MK34GlCTk9qO7FlRwds/Z5k7xPpHg==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/credential-provider-sso@3.864.0':
     resolution: {integrity: sha512-UPyPNQbxDwHVGmgWdGg9/9yvzuedRQVF5jtMkmP565YX9pKZ8wYAcXhcYdNPWFvH0GYdB0crKOmvib+bmCuwkw==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/credential-provider-sso@3.876.0':
+    resolution: {integrity: sha512-iP5dz9XqwePbgnh7Bdrq5e1319JpCRKLyomUfHH1XVeXkIHmwIJdmTj1Upeo1J8L/5cLHmhXAN6CTN11bLo8SA==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/credential-provider-web-identity@3.864.0':
     resolution: {integrity: sha512-nNcjPN4SYg8drLwqK0vgVeSvxeGQiD0FxOaT38mV2H8cu0C5NzpvA+14Xy+W6vT84dxgmJYKk71Cr5QL2Oz+rA==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/credential-provider-web-identity@3.876.0':
+    resolution: {integrity: sha512-q/XSCP1uae5aB9veM8zcm6Gqu6A4ckX9ZbhHgCzURXVJDwp+nINW1hM9vppMjGw3ND9Ibx/adR+KfTI0TDMzqw==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/middleware-bucket-endpoint@3.862.0':
     resolution: {integrity: sha512-Wcsc7VPLjImQw+CP1/YkwyofMs9Ab6dVq96iS8p0zv0C6YTaMjvillkau4zFfrrrTshdzFWKptIFhKK8Zsei1g==}
     engines: {node: '>=18.0.0'}
@@ -1987,6 +2030,10 @@ packages:
     resolution: {integrity: sha512-jDje8dCFeFHfuCAxMDXBs8hy8q9NCTlyK4ThyyfAj3U4Pixly2mmzY2u7b7AyGhWsjJNx8uhTjlYq5zkQPQCYw==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/middleware-host-header@3.873.0':
+    resolution: {integrity: sha512-KZ/W1uruWtMOs7D5j3KquOxzCnV79KQW9MjJFZM/M0l6KI8J6V3718MXxFHsTjUE4fpdV6SeCNLV1lwGygsjJA==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/middleware-location-constraint@3.862.0':
     resolution: {integrity: sha512-MnwLxCw7Cc9OngEH3SHFhrLlDI9WVxaBkp3oTsdY9JE7v8OE38wQ9vtjaRsynjwu0WRtrctSHbpd7h/QVvtjyA==}
     engines: {node: '>=18.0.0'}
@@ -1995,10 +2042,18 @@ packages:
     resolution: {integrity: sha512-N/bXSJznNBR/i7Ofmf9+gM6dx/SPBK09ZWLKsW5iQjqKxAKn/2DozlnE54uiEs1saHZWoNDRg69Ww4XYYSlG1Q==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/middleware-logger@3.876.0':
+    resolution: {integrity: sha512-cpWJhOuMSyz9oV25Z/CMHCBTgafDCbv7fHR80nlRrPdPZ8ETNsahwRgltXP1QJJ8r3X/c1kwpOR7tc+RabVzNA==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/middleware-recursion-detection@3.862.0':
     resolution: {integrity: sha512-KVoo3IOzEkTq97YKM4uxZcYFSNnMkhW/qj22csofLegZi5fk90ztUnnaeKfaEJHfHp/tm1Y3uSoOXH45s++kKQ==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/middleware-recursion-detection@3.873.0':
+    resolution: {integrity: sha512-OtgY8EXOzRdEWR//WfPkA/fXl0+WwE8hq0y9iw2caNyKPtca85dzrrZWnPqyBK/cpImosrpR1iKMYr41XshsCg==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/middleware-sdk-s3@3.864.0':
     resolution: {integrity: sha512-GjYPZ6Xnqo17NnC8NIQyvvdzzO7dm+Ks7gpxD/HsbXPmV2aEfuFveJXneGW9e1BheSKFff6FPDWu8Gaj2Iu1yg==}
     engines: {node: '>=18.0.0'}
@@ -2011,14 +2066,26 @@ packages:
     resolution: {integrity: sha512-wrddonw4EyLNSNBrApzEhpSrDwJiNfjxDm5E+bn8n32BbAojXASH8W8jNpxz/jMgNkkJNxCfyqybGKzBX0OhbQ==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/middleware-user-agent@3.876.0':
+    resolution: {integrity: sha512-FR+8INfnbNv32QDQ5szxkWX6mB/QgezfNyx8LnAh1ErISZMmEFBxXXir+ZOfuV8vsmal1a6cy9qmnMNDaNnaNQ==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/nested-clients@3.864.0':
     resolution: {integrity: sha512-H1C+NjSmz2y8Tbgh7Yy89J20yD/hVyk15hNoZDbCYkXg0M358KS7KVIEYs8E2aPOCr1sK3HBE819D/yvdMgokA==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/nested-clients@3.876.0':
+    resolution: {integrity: sha512-R4TZrkM2gUElTsotk8mt3y7iLG8TNi1LL1wgVdEEWSLOYTaFyglGdoNBMtEeP7lmXilaTy00AbYF6BakJvSTHg==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/region-config-resolver@3.862.0':
     resolution: {integrity: sha512-VisR+/HuVFICrBPY+q9novEiE4b3mvDofWqyvmxHcWM7HumTz9ZQSuEtnlB/92GVM3KDUrR9EmBHNRrfXYZkcQ==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/region-config-resolver@3.873.0':
+    resolution: {integrity: sha512-q9sPoef+BBG6PJnc4x60vK/bfVwvRWsPgcoQyIra057S/QGjq5VkjvNk6H8xedf6vnKlXNBwq9BaANBXnldUJg==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/signature-v4-multi-region@3.864.0':
     resolution: {integrity: sha512-w2HIn/WIcUyv1bmyCpRUKHXB5KdFGzyxPkp/YK5g+/FuGdnFFYWGfcO8O+How4jwrZTarBYsAHW9ggoKvwr37w==}
     engines: {node: '>=18.0.0'}
@@ -2027,6 +2094,10 @@ packages:
     resolution: {integrity: sha512-gTc2QHOBo05SCwVA65dUtnJC6QERvFaPiuppGDSxoF7O5AQNK0UR/kMSenwLqN8b5E1oLYvQTv3C1idJLRX0cg==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/token-providers@3.876.0':
+    resolution: {integrity: sha512-iU08kaQbhXnY0CC2TBcr7y/2PqPwZP2CTWX/Rbq0NvhOyteikfh7ASC+bRfLUp0XMSHKvSb+w2dh8a0lvx4oHg==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/types@3.862.0':
     resolution: {integrity: sha512-Bei+RL0cDxxV+lW2UezLbCYYNeJm6Nzee0TpW0FfyTRBhH9C1XQh4+x+IClriXvgBnRquTMMYsmJfvx8iyLKrg==}
     engines: {node: '>=18.0.0'}
@@ -2039,6 +2110,10 @@ packages:
     resolution: {integrity: sha512-eCZuScdE9MWWkHGM2BJxm726MCmWk/dlHjOKvkM0sN1zxBellBMw5JohNss1Z8/TUmnW2gb9XHTOiHuGjOdksA==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/util-endpoints@3.873.0':
+    resolution: {integrity: sha512-YByHrhjxYdjKRf/RQygRK1uh0As1FIi9+jXTcIEX/rBgN8mUByczr2u4QXBzw7ZdbdcOBMOkPnLRjNOWW1MkFg==}
+    engines: {node: '>=18.0.0'}
+
   '@aws-sdk/util-locate-window@3.804.0':
     resolution: {integrity: sha512-zVoRfpmBVPodYlnMjgVjfGoEZagyRF5IPn3Uo6ZvOZp24chnW/FRstH7ESDHDDRga4z3V+ElUQHKpFDXWyBW5A==}
     engines: {node: '>=18.0.0'}
@@ -2046,6 +2121,9 @@ packages:
   '@aws-sdk/util-user-agent-browser@3.862.0':
     resolution: {integrity: sha512-BmPTlm0r9/10MMr5ND9E92r8KMZbq5ltYXYpVcUbAsnB1RJ8ASJuRoLne5F7mB3YMx0FJoOTuSq7LdQM3LgW3Q==}
 
+  '@aws-sdk/util-user-agent-browser@3.873.0':
+    resolution: {integrity: sha512-AcRdbK6o19yehEcywI43blIBhOCSo6UgyWcuOJX5CFF8k39xm1ILCjQlRRjchLAxWrm0lU0Q7XV90RiMMFMZtA==}
+
   '@aws-sdk/util-user-agent-node@3.864.0':
     resolution: {integrity: sha512-d+FjUm2eJEpP+FRpVR3z6KzMdx1qwxEYDz8jzNKwxYLBBquaBaP/wfoMtMQKAcbrR7aT9FZVZF7zDgzNxUvQlQ==}
     engines: {node: '>=18.0.0'}
@@ -2055,10 +2133,23 @@ packages:
       aws-crt:
         optional: true
 
+  '@aws-sdk/util-user-agent-node@3.876.0':
+    resolution: {integrity: sha512-/ZIaeUt60JBdI0mNc7sZ8v3Tuzp8Pbe4gIAYnppGyF4KV8QA+Yu8tp2bGHfkKn150t1uvQ6P/4CwFfoGF34dzg==}
+    engines: {node: '>=18.0.0'}
+    peerDependencies:
+      aws-crt: '>=1.0.0'
+    peerDependenciesMeta:
+      aws-crt:
+        optional: true
+
   '@aws-sdk/xml-builder@3.862.0':
     resolution: {integrity: sha512-6Ed0kmC1NMbuFTEgNmamAUU1h5gShgxL1hBVLbEzUa3trX5aJBz1vU4bXaBTvOYUAnOHtiy1Ml4AMStd6hJnFA==}
     engines: {node: '>=18.0.0'}
 
+  '@aws-sdk/xml-builder@3.873.0':
+    resolution: {integrity: sha512-kLO7k7cGJ6KaHiExSJWojZurF7SnGMDHXRuQunFnEoD0n1yB6Lqy/S/zHiQ7oJnBhPr9q0TW9qFkrsZb1Uc54w==}
+    engines: {node: '>=18.0.0'}
+
   '@babel/code-frame@7.10.4':
     resolution: {integrity: sha512-vG6SvB6oYEhvgisZNFRmRCUkLz11c7rp+tbNTynGqc6mS1d5ATd/sGyV6W0KZZnXRKMTzZDRgQT3Ou9jhpAfUg==}
 
@@ -15772,6 +15863,50 @@ snapshots:
       '@smithy/util-utf8': 2.3.0
       tslib: 2.8.1
 
+  '@aws-sdk/client-kms@3.876.0':
+    dependencies:
+      '@aws-crypto/sha256-browser': 5.2.0
+      '@aws-crypto/sha256-js': 5.2.0
+      '@aws-sdk/core': 3.876.0
+      '@aws-sdk/credential-provider-node': 3.876.0
+      '@aws-sdk/middleware-host-header': 3.873.0
+      '@aws-sdk/middleware-logger': 3.876.0
+      '@aws-sdk/middleware-recursion-detection': 3.873.0
+      '@aws-sdk/middleware-user-agent': 3.876.0
+      '@aws-sdk/region-config-resolver': 3.873.0
+      '@aws-sdk/types': 3.862.0
+      '@aws-sdk/util-endpoints': 3.873.0
+      '@aws-sdk/util-user-agent-browser': 3.873.0
+      '@aws-sdk/util-user-agent-node': 3.876.0
+      '@smithy/config-resolver': 4.1.5
+      '@smithy/core': 3.8.0
+      '@smithy/fetch-http-handler': 5.1.1
+      '@smithy/hash-node': 4.0.5
+      '@smithy/invalid-dependency': 4.0.5
+      '@smithy/middleware-content-length': 4.0.5
+      '@smithy/middleware-endpoint': 4.1.18
+      '@smithy/middleware-retry': 4.1.19
+      '@smithy/middleware-serde': 4.0.9
+      '@smithy/middleware-stack': 4.0.5
+      '@smithy/node-config-provider': 4.1.4
+      '@smithy/node-http-handler': 4.1.1
+      '@smithy/protocol-http': 5.1.3
+      '@smithy/smithy-client': 4.4.10
+      '@smithy/types': 4.3.2
+      '@smithy/url-parser': 4.0.5
+      '@smithy/util-base64': 4.0.0
+      '@smithy/util-body-length-browser': 4.0.0
+      '@smithy/util-body-length-node': 4.0.0
+      '@smithy/util-defaults-mode-browser': 4.0.26
+      '@smithy/util-defaults-mode-node': 4.0.26
+      '@smithy/util-endpoints': 3.0.7
+      '@smithy/util-middleware': 4.0.5
+      '@smithy/util-retry': 4.0.7
+      '@smithy/util-utf8': 4.0.0
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
   '@aws-sdk/client-s3@3.864.0':
     dependencies:
       '@aws-crypto/sha1-browser': 5.2.0
@@ -15878,6 +16013,49 @@ snapshots:
     transitivePeerDependencies:
       - aws-crt
 
+  '@aws-sdk/client-sso@3.876.0':
+    dependencies:
+      '@aws-crypto/sha256-browser': 5.2.0
+      '@aws-crypto/sha256-js': 5.2.0
+      '@aws-sdk/core': 3.876.0
+      '@aws-sdk/middleware-host-header': 3.873.0
+      '@aws-sdk/middleware-logger': 3.876.0
+      '@aws-sdk/middleware-recursion-detection': 3.873.0
+      '@aws-sdk/middleware-user-agent': 3.876.0
+      '@aws-sdk/region-config-resolver': 3.873.0
+      '@aws-sdk/types': 3.862.0
+      '@aws-sdk/util-endpoints': 3.873.0
+      '@aws-sdk/util-user-agent-browser': 3.873.0
+      '@aws-sdk/util-user-agent-node': 3.876.0
+      '@smithy/config-resolver': 4.1.5
+      '@smithy/core': 3.8.0
+      '@smithy/fetch-http-handler': 5.1.1
+      '@smithy/hash-node': 4.0.5
+      '@smithy/invalid-dependency': 4.0.5
+      '@smithy/middleware-content-length': 4.0.5
+      '@smithy/middleware-endpoint': 4.1.18
+      '@smithy/middleware-retry': 4.1.19
+      '@smithy/middleware-serde': 4.0.9
+      '@smithy/middleware-stack': 4.0.5
+      '@smithy/node-config-provider': 4.1.4
+      '@smithy/node-http-handler': 4.1.1
+      '@smithy/protocol-http': 5.1.3
+      '@smithy/smithy-client': 4.4.10
+      '@smithy/types': 4.3.2
+      '@smithy/url-parser': 4.0.5
+      '@smithy/util-base64': 4.0.0
+      '@smithy/util-body-length-browser': 4.0.0
+      '@smithy/util-body-length-node': 4.0.0
+      '@smithy/util-defaults-mode-browser': 4.0.26
+      '@smithy/util-defaults-mode-node': 4.0.26
+      '@smithy/util-endpoints': 3.0.7
+      '@smithy/util-middleware': 4.0.5
+      '@smithy/util-retry': 4.0.7
+      '@smithy/util-utf8': 4.0.0
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
   '@aws-sdk/core@3.864.0':
     dependencies:
       '@aws-sdk/types': 3.862.0
@@ -15896,6 +16074,24 @@ snapshots:
       fast-xml-parser: 5.2.5
       tslib: 2.8.1
 
+  '@aws-sdk/core@3.876.0':
+    dependencies:
+      '@aws-sdk/types': 3.862.0
+      '@aws-sdk/xml-builder': 3.873.0
+      '@smithy/core': 3.8.0
+      '@smithy/node-config-provider': 4.1.4
+      '@smithy/property-provider': 4.0.5
+      '@smithy/protocol-http': 5.1.3
+      '@smithy/signature-v4': 5.1.3
+      '@smithy/smithy-client': 4.4.10
+      '@smithy/types': 4.3.2
+      '@smithy/util-base64': 4.0.0
+      '@smithy/util-body-length-browser': 4.0.0
+      '@smithy/util-middleware': 4.0.5
+      '@smithy/util-utf8': 4.0.0
+      fast-xml-parser: 5.2.5
+      tslib: 2.8.1
+
   '@aws-sdk/credential-provider-env@3.864.0':
     dependencies:
       '@aws-sdk/core': 3.864.0
@@ -15904,6 +16100,14 @@ snapshots:
       '@smithy/types': 4.3.2
       tslib: 2.8.1
 
+  '@aws-sdk/credential-provider-env@3.876.0':
+    dependencies:
+      '@aws-sdk/core': 3.876.0
+      '@aws-sdk/types': 3.862.0
+      '@smithy/property-provider': 4.0.5
+      '@smithy/types': 4.3.2
+      tslib: 2.8.1
+
   '@aws-sdk/credential-provider-http@3.864.0':
     dependencies:
       '@aws-sdk/core': 3.864.0
@@ -15917,6 +16121,19 @@ snapshots:
       '@smithy/util-stream': 4.2.4
       tslib: 2.8.1
 
+  '@aws-sdk/credential-provider-http@3.876.0':
+    dependencies:
+      '@aws-sdk/core': 3.876.0
+      '@aws-sdk/types': 3.862.0
+      '@smithy/fetch-http-handler': 5.1.1
+      '@smithy/node-http-handler': 4.1.1
+      '@smithy/property-provider': 4.0.5
+      '@smithy/protocol-http': 5.1.3
+      '@smithy/smithy-client': 4.4.10
+      '@smithy/types': 4.3.2
+      '@smithy/util-stream': 4.2.4
+      tslib: 2.8.1
+
   '@aws-sdk/credential-provider-ini@3.864.0':
     dependencies:
       '@aws-sdk/core': 3.864.0
@@ -15935,6 +16152,24 @@ snapshots:
     transitivePeerDependencies:
       - aws-crt
 
+  '@aws-sdk/credential-provider-ini@3.876.0':
+    dependencies:
+      '@aws-sdk/core': 3.876.0
+      '@aws-sdk/credential-provider-env': 3.876.0
+      '@aws-sdk/credential-provider-http': 3.876.0
+      '@aws-sdk/credential-provider-process': 3.876.0
+      '@aws-sdk/credential-provider-sso': 3.876.0
+      '@aws-sdk/credential-provider-web-identity': 3.876.0
+      '@aws-sdk/nested-clients': 3.876.0
+      '@aws-sdk/types': 3.862.0
+      '@smithy/credential-provider-imds': 4.0.7
+      '@smithy/property-provider': 4.0.5
+      '@smithy/shared-ini-file-loader': 4.0.5
+      '@smithy/types': 4.3.2
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
   '@aws-sdk/credential-provider-node@3.864.0':
     dependencies:
       '@aws-sdk/credential-provider-env': 3.864.0
@@ -15952,6 +16187,23 @@ snapshots:
     transitivePeerDependencies:
       - aws-crt
 
+  '@aws-sdk/credential-provider-node@3.876.0':
+    dependencies:
+      '@aws-sdk/credential-provider-env': 3.876.0
+      '@aws-sdk/credential-provider-http': 3.876.0
+      '@aws-sdk/credential-provider-ini': 3.876.0
+      '@aws-sdk/credential-provider-process': 3.876.0
+      '@aws-sdk/credential-provider-sso': 3.876.0
+      '@aws-sdk/credential-provider-web-identity': 3.876.0
+      '@aws-sdk/types': 3.862.0
+      '@smithy/credential-provider-imds': 4.0.7
+      '@smithy/property-provider': 4.0.5
+      '@smithy/shared-ini-file-loader': 4.0.5
+      '@smithy/types': 4.3.2
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
   '@aws-sdk/credential-provider-process@3.864.0':
     dependencies:
       '@aws-sdk/core': 3.864.0
@@ -15961,6 +16213,15 @@ snapshots:
       '@smithy/types': 4.3.2
       tslib: 2.8.1
 
+  '@aws-sdk/credential-provider-process@3.876.0':
+    dependencies:
+      '@aws-sdk/core': 3.876.0
+      '@aws-sdk/types': 3.862.0
+      '@smithy/property-provider': 4.0.5
+      '@smithy/shared-ini-file-loader': 4.0.5
+      '@smithy/types': 4.3.2
+      tslib: 2.8.1
+
   '@aws-sdk/credential-provider-sso@3.864.0':
     dependencies:
       '@aws-sdk/client-sso': 3.864.0
@@ -15974,6 +16235,19 @@ snapshots:
     transitivePeerDependencies:
       - aws-crt
 
+  '@aws-sdk/credential-provider-sso@3.876.0':
+    dependencies:
+      '@aws-sdk/client-sso': 3.876.0
+      '@aws-sdk/core': 3.876.0
+      '@aws-sdk/token-providers': 3.876.0
+      '@aws-sdk/types': 3.862.0
+      '@smithy/property-provider': 4.0.5
+      '@smithy/shared-ini-file-loader': 4.0.5
+      '@smithy/types': 4.3.2
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
   '@aws-sdk/credential-provider-web-identity@3.864.0':
     dependencies:
       '@aws-sdk/core': 3.864.0
@@ -15985,6 +16259,17 @@ snapshots:
     transitivePeerDependencies:
       - aws-crt
 
+  '@aws-sdk/credential-provider-web-identity@3.876.0':
+    dependencies:
+      '@aws-sdk/core': 3.876.0
+      '@aws-sdk/nested-clients': 3.876.0
+      '@aws-sdk/types': 3.862.0
+      '@smithy/property-provider': 4.0.5
+      '@smithy/types': 4.3.2
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
   '@aws-sdk/middleware-bucket-endpoint@3.862.0':
     dependencies:
       '@aws-sdk/types': 3.862.0
@@ -16025,6 +16310,13 @@ snapshots:
       '@smithy/types': 4.3.2
       tslib: 2.8.1
 
+  '@aws-sdk/middleware-host-header@3.873.0':
+    dependencies:
+      '@aws-sdk/types': 3.862.0
+      '@smithy/protocol-http': 5.1.3
+      '@smithy/types': 4.3.2
+      tslib: 2.8.1
+
   '@aws-sdk/middleware-location-constraint@3.862.0':
     dependencies:
       '@aws-sdk/types': 3.862.0
@@ -16037,6 +16329,12 @@ snapshots:
       '@smithy/types': 4.3.2
       tslib: 2.8.1
 
+  '@aws-sdk/middleware-logger@3.876.0':
+    dependencies:
+      '@aws-sdk/types': 3.862.0
+      '@smithy/types': 4.3.2
+      tslib: 2.8.1
+
   '@aws-sdk/middleware-recursion-detection@3.862.0':
     dependencies:
       '@aws-sdk/types': 3.862.0
@@ -16044,6 +16342,13 @@ snapshots:
       '@smithy/types': 4.3.2
       tslib: 2.8.1
 
+  '@aws-sdk/middleware-recursion-detection@3.873.0':
+    dependencies:
+      '@aws-sdk/types': 3.862.0
+      '@smithy/protocol-http': 5.1.3
+      '@smithy/types': 4.3.2
+      tslib: 2.8.1
+
   '@aws-sdk/middleware-sdk-s3@3.864.0':
     dependencies:
       '@aws-sdk/core': 3.864.0
@@ -16077,6 +16382,16 @@ snapshots:
       '@smithy/types': 4.3.2
       tslib: 2.8.1
 
+  '@aws-sdk/middleware-user-agent@3.876.0':
+    dependencies:
+      '@aws-sdk/core': 3.876.0
+      '@aws-sdk/types': 3.862.0
+      '@aws-sdk/util-endpoints': 3.873.0
+      '@smithy/core': 3.8.0
+      '@smithy/protocol-http': 5.1.3
+      '@smithy/types': 4.3.2
+      tslib: 2.8.1
+
   '@aws-sdk/nested-clients@3.864.0':
     dependencies:
       '@aws-crypto/sha256-browser': 5.2.0
@@ -16120,6 +16435,49 @@ snapshots:
     transitivePeerDependencies:
       - aws-crt
 
+  '@aws-sdk/nested-clients@3.876.0':
+    dependencies:
+      '@aws-crypto/sha256-browser': 5.2.0
+      '@aws-crypto/sha256-js': 5.2.0
+      '@aws-sdk/core': 3.876.0
+      '@aws-sdk/middleware-host-header': 3.873.0
+      '@aws-sdk/middleware-logger': 3.876.0
+      '@aws-sdk/middleware-recursion-detection': 3.873.0
+      '@aws-sdk/middleware-user-agent': 3.876.0
+      '@aws-sdk/region-config-resolver': 3.873.0
+      '@aws-sdk/types': 3.862.0
+      '@aws-sdk/util-endpoints': 3.873.0
+      '@aws-sdk/util-user-agent-browser': 3.873.0
+      '@aws-sdk/util-user-agent-node': 3.876.0
+      '@smithy/config-resolver': 4.1.5
+      '@smithy/core': 3.8.0
+      '@smithy/fetch-http-handler': 5.1.1
+      '@smithy/hash-node': 4.0.5
+      '@smithy/invalid-dependency': 4.0.5
+      '@smithy/middleware-content-length': 4.0.5
+      '@smithy/middleware-endpoint': 4.1.18
+      '@smithy/middleware-retry': 4.1.19
+      '@smithy/middleware-serde': 4.0.9
+      '@smithy/middleware-stack': 4.0.5
+      '@smithy/node-config-provider': 4.1.4
+      '@smithy/node-http-handler': 4.1.1
+      '@smithy/protocol-http': 5.1.3
+      '@smithy/smithy-client': 4.4.10
+      '@smithy/types': 4.3.2
+      '@smithy/url-parser': 4.0.5
+      '@smithy/util-base64': 4.0.0
+      '@smithy/util-body-length-browser': 4.0.0
+      '@smithy/util-body-length-node': 4.0.0
+      '@smithy/util-defaults-mode-browser': 4.0.26
+      '@smithy/util-defaults-mode-node': 4.0.26
+      '@smithy/util-endpoints': 3.0.7
+      '@smithy/util-middleware': 4.0.5
+      '@smithy/util-retry': 4.0.7
+      '@smithy/util-utf8': 4.0.0
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
   '@aws-sdk/region-config-resolver@3.862.0':
     dependencies:
       '@aws-sdk/types': 3.862.0
@@ -16129,6 +16487,15 @@ snapshots:
       '@smithy/util-middleware': 4.0.5
       tslib: 2.8.1
 
+  '@aws-sdk/region-config-resolver@3.873.0':
+    dependencies:
+      '@aws-sdk/types': 3.862.0
+      '@smithy/node-config-provider': 4.1.4
+      '@smithy/types': 4.3.2
+      '@smithy/util-config-provider': 4.0.0
+      '@smithy/util-middleware': 4.0.5
+      tslib: 2.8.1
+
   '@aws-sdk/signature-v4-multi-region@3.864.0':
     dependencies:
       '@aws-sdk/middleware-sdk-s3': 3.864.0
@@ -16150,6 +16517,18 @@ snapshots:
     transitivePeerDependencies:
       - aws-crt
 
+  '@aws-sdk/token-providers@3.876.0':
+    dependencies:
+      '@aws-sdk/core': 3.876.0
+      '@aws-sdk/nested-clients': 3.876.0
+      '@aws-sdk/types': 3.862.0
+      '@smithy/property-provider': 4.0.5
+      '@smithy/shared-ini-file-loader': 4.0.5
+      '@smithy/types': 4.3.2
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
   '@aws-sdk/types@3.862.0':
     dependencies:
       '@smithy/types': 4.3.2
@@ -16167,6 +16546,14 @@ snapshots:
       '@smithy/util-endpoints': 3.0.7
       tslib: 2.8.1
 
+  '@aws-sdk/util-endpoints@3.873.0':
+    dependencies:
+      '@aws-sdk/types': 3.862.0
+      '@smithy/types': 4.3.2
+      '@smithy/url-parser': 4.0.5
+      '@smithy/util-endpoints': 3.0.7
+      tslib: 2.8.1
+
   '@aws-sdk/util-locate-window@3.804.0':
     dependencies:
       tslib: 2.8.1
@@ -16178,6 +16565,13 @@ snapshots:
       bowser: 2.11.0
       tslib: 2.8.1
 
+  '@aws-sdk/util-user-agent-browser@3.873.0':
+    dependencies:
+      '@aws-sdk/types': 3.862.0
+      '@smithy/types': 4.3.2
+      bowser: 2.11.0
+      tslib: 2.8.1
+
   '@aws-sdk/util-user-agent-node@3.864.0':
     dependencies:
       '@aws-sdk/middleware-user-agent': 3.864.0
@@ -16186,11 +16580,24 @@ snapshots:
       '@smithy/types': 4.3.2
       tslib: 2.8.1
 
+  '@aws-sdk/util-user-agent-node@3.876.0':
+    dependencies:
+      '@aws-sdk/middleware-user-agent': 3.876.0
+      '@aws-sdk/types': 3.862.0
+      '@smithy/node-config-provider': 4.1.4
+      '@smithy/types': 4.3.2
+      tslib: 2.8.1
+
   '@aws-sdk/xml-builder@3.862.0':
     dependencies:
       '@smithy/types': 4.3.2
       tslib: 2.8.1
 
+  '@aws-sdk/xml-builder@3.873.0':
+    dependencies:
+      '@smithy/types': 4.3.2
+      tslib: 2.8.1
+
   '@babel/code-frame@7.10.4':
     dependencies:
       '@babel/highlight': 7.25.9
@@ -23151,9 +23558,9 @@ snapshots:
       next: 15.4.1(@babel/core@7.26.0)(@opentelemetry/api@1.9.0)(react-dom@19.0.0(react@19.0.0))(react@19.0.0)
       react: 19.0.0
 
-  '@vercel/functions@2.0.0(@aws-sdk/credential-provider-web-identity@3.864.0)':
+  '@vercel/functions@2.0.0(@aws-sdk/credential-provider-web-identity@3.876.0)':
     optionalDependencies:
-      '@aws-sdk/credential-provider-web-identity': 3.864.0
+      '@aws-sdk/credential-provider-web-identity': 3.876.0
 
   '@vercel/mcp-adapter@1.0.0(@modelcontextprotocol/sdk@1.17.2)(next@15.4.1(@babel/core@7.26.0)(@opentelemetry/api@1.9.0)(react-dom@18.3.1(react@18.3.1))(react@18.3.1))':
     dependencies: