Client offboarding is one of the least-documented processes in most MSP operations. The client gives notice, a final invoice goes out, and then someone has to collect every credential your team has been managing — firewalls, servers, Microsoft 365, backup consoles, domain registrars, DNS hosts, cloud portals — and hand it back in a form the client can actually use. It’s a high-stakes task that usually happens under time pressure, with no formal process, and significant room for things to go wrong.
The most common approach is some variation of: open the password manager, go through client by client, copy credentials into a spreadsheet or a Word doc, email it over or share via a temporary link. It works, technically. But it’s manual, it’s error-prone, and the output is unstructured enough that the receiving party often has questions about what’s included, what’s missing, and whether the document is complete.
Weavestream has a direct answer to this: a one-click PDF export of an entire client’s credential vault.
What the Export Actually Does
From the vault workflow for any company in Weavestream, admin users can trigger a PDF export that generates a document covering every credential record in that tenant’s vault. The export is produced server-side and downloaded immediately — no queuing, no email delivery, no cloud intermediary.
The output is a structured document that captures each credential record with its associated fields: name, username, URL, notes, and expiry date. TOTP secrets and password ciphertext are handled with appropriate care — the document is a handover artifact, not a raw key dump.
This matters for a few reasons that go beyond the obvious convenience.
The document is generated from the live vault. It reflects the current state of every credential at the moment you run the export, not a stale snapshot from a backup or a manual copy-paste session. If a password was rotated two days before the client left, the export has the current version.
The export happens on your server. Because Weavestream is self-hosted, the PDF is assembled and served entirely within your infrastructure. There’s no third-party service that touches the credential data during export. For MSPs with data handling obligations — or clients in regulated industries who ask where their data goes — this is the correct answer.
It’s repeatable. Running the export twice gives you two identical documents, not two documents that diverge because someone forgot to include an entry the second time around.
Three Practical Uses
Client Offboarding Handover
The immediate use case is the one that drives most interest: when a client contract ends, you need to return everything. A vault export gives you a clean, complete document of every credential your team has been holding. You can review it before sending, redact anything your contract says you shouldn’t hand back, and deliver it as a PDF rather than a spreadsheet that might get reformatted in transit.
It also closes a common gap in offboarding: the question of whether the handover was complete. A full vault export is auditable. You can document that the export was run on a specific date, who ran it, and what was delivered. The audit log in Weavestream records the export event alongside all other credential activity, so the handover is part of the same tamper-resistant record as every other action taken on that client’s vault.
Audit Evidence
For MSPs pursuing compliance certifications — SOC 2, ISO 27001, Cyber Essentials — auditors frequently ask about how you handle client credentials. The question isn’t usually “show me all the passwords.” It’s “demonstrate that you have a documented process for managing and controlling access to client credentials.”
A vault export, combined with Weavestream’s reveal audit trail (which logs every decryption event with actor, timestamp, and IP), gives you two pieces of evidence: the inventory of what was managed, and the record of how it was accessed. The PDF covers the former; the audit log covers the latter.
Neither proves your process is perfect, but both demonstrate that a process exists, that it’s documented, and that you can produce evidence of it.
Offline Archival
There’s a third use case that’s less about compliance and more about resilience: keeping a copy of a client’s credentials somewhere that isn’t dependent on your Weavestream instance being up.
Most of the time, this doesn’t matter. Your Weavestream deployment is backed up, the data is there when you need it, and the vault is accessible. But if you’ve ever been in a situation where a self-hosted service was down at the exact moment you needed it — during an incident, during a migration, after a bad update — the value of having a recent PDF in your secure offline archive becomes obvious.
An encrypted PDF stored in a secure, access-controlled location isn’t a replacement for a properly maintained vault. It’s a fallback. For critical clients, exporting and archiving a credential snapshot on a quarterly basis is a low-effort way to reduce your exposure to that scenario.
The Rest of the Vault
The PDF export is one feature in a password vault that’s worth understanding in full if you’re running Weavestream. A few other capabilities that complement it:
Version history. Every change to a credential is stored as an immutable record capturing the previous values, the actor, and the timestamp. Version history can’t be deleted, even for archived passwords. The PDF export captures the current state; the version history shows you how the credential got there.
Reveal audit trail. Every decryption event — every time a password is revealed — generates an audit log entry with the actor, timestamp, and IP address. The trail is append-only and tamper-resistant. If a client asks who accessed their admin password before their contract ended, you can answer specifically.
Password generator. The built-in generator runs locally in the browser — nothing is sent to a server. It offers three modes: EFF-style words with symbols, passphrase, or character-class-based random strings. When you’re rotating credentials as part of an offboarding or as routine hygiene, the generator produces strong passwords without leaving the platform.
Breach detection. Every password save or update runs a HaveIBeenPwned k-anonymity lookup. Only the first five characters of the SHA-1 hash leave your server; the comparison happens locally. Credentials that match known breach data are flagged at save time.
Who Can Run the Export
The PDF export is available to admin users from the vault workflow in any company. It doesn’t require a separate permission or configuration — if you have admin access to the company in Weavestream, you can run the export.
For MSPs with a clear separation between technician and admin tiers, this means the export is typically run by whoever is handling the offboarding process — not accessible to every technician by default, but available to the people who need it without a ticket to IT.
Client offboarding is an edge case in the day-to-day operations of most MSPs, but it’s a high-stakes one when it comes up. Having a documented, repeatable process for returning credentials — rather than an improvised manual export — is the kind of operational maturity that clients notice, and that protects your MSP from disputes about whether the handover was complete.
The vault export in Weavestream takes about ten seconds to run. The peace of mind is harder to put a number on.
Weavestream is free, self-hosted, and open source. The password vault PDF export is available in every deployment at no additional cost. Find out more at weavestream.io.