Security

The browser extension

Autofill for stored logins — and a store-signed client that answers "can I trust the JavaScript?"

Updated 2026-07-11

The TimeLock extension (Chrome, Firefox, Edge — Manifest V3) does two jobs.

Autofill

It matches the page you're on against your stored logins and fills username and password (and shows the TOTP code if the login has a seed). Same account, same API, same two-stage unlock as the web vault.

A hardened, signed client

Any web-delivered encrypted app has one inherent weakness: you trust the JavaScript the server sends on every page load. The extension closes most of that gap — it's packaged and signed through the browser web stores, so its code is fixed at review time and cannot be swapped per-request by a server. If you want the strongest assurance TimeLock offers today, use the extension.

Key handling

Decryption keys exist only in the extension's service-worker memory. They're dropped on auto-lock and never persisted to disk.

Roadmap

Signed desktop clients, self-hosting, and a React Native mobile app are planned. We'll publish build hashes and reproducible-build instructions for each client as it ships.

Ready for a vault that can't be read — even by us?

Start a free trial today. Your master password never leaves your browser, and any secret can be locked to a schedule.