--- title: "PromptVault: An AI Prompt Manager With No Backend" date: 2026-06-09T12:00:00.000Z description: "A free-forever prompt manager for Claude, ChatGPT and Gemini — a Manifest V3 browser extension plus a web app that store your prompts in your own Google Drive. No servers, no telemetry, drive.file least-privilege. Here's the architecture, a usage guide, and the security model." tags: ["promptvault", "chrome-extension", "manifest-v3", "google-drive", "byos", "ai-prompts", "oauth", "svelte", "open-source", "privacy"] tokens: 2121 content-signal: search=yes, ai-input=yes, ai-train=no --- ![PromptVault — your AI prompts, in your own Google Drive. A free-forever prompt manager: browser extension and web app, no backend.](/images/posts/promptvault-byos-ai-prompt-manager/hero.svg) ## TL;DR - Key Takeaways 1. **PromptVault** is a free-forever prompt manager for AI tools — a **Manifest V3 browser extension** plus a **web app** — that stores your reusable prompts in **your own Google Drive**, not on anyone's server. 2. **There is no backend.** Prompt data lives in a `vault.json` in a `PromptVault` folder in your Drive; media bytes upload to the same folder; the vault keeps only a lightweight reference. All compute is client-side. 3. **`drive.file` least-privilege scope** — the app can only ever see the files it created. It cannot read the rest of your Drive, which also keeps it out of Google's restricted-scope verification. 4. **Right-click to paste** a saved prompt straight into any text field, or **copy from the toolbar popup** and paste anywhere — including pages where extensions can't inject. **Save selected text or any web image** into your vault from the context menu. 5. **OAuth implicit grant, no client secret** — sign-in uses `chrome.identity.launchWebAuthFlow` with a public client ID; tokens stay in local storage and are revoked on disconnect. No telemetry, no third-party calls. 6. **Shared core, two front-ends** — a vanilla-JS MV3 extension and a Svelte web app both build on one `@promptvault/core` package; the web app ships to GitHub Pages, the extension as a signed CRX. --- ## Why I Built This If you use Claude, ChatGPT, or Gemini every day, you accumulate prompts. Prefaces that set the tone. Guardrails you paste before a risky task. A persona. A "explain it like I'm a senior engineer" block. Snippets you reach for constantly. Mine were scattered across notes apps, a `prompts.txt`, and my actual clipboard history. Every "prompt manager" I tried wanted me to sign up for an account, trust their servers with the text I paste into AI tools, and — eventually — pay a subscription to keep my own writing. That's backwards. A prompt library is just text and a few images. It should live somewhere **I** already own, cost nothing to run, and never touch a third-party server. So I built one with a hard constraint: **no backend, ever.** If there's no server, there's no data to leak, no bill to pay, and nothing for me to shut down later. --- ## What It Is PromptVault has two front-ends that share one library: - A **browser extension** (Chromium: Chrome, Edge, Brave, Arc, Opera) that lives where you actually type. Right-click to paste a prompt into the page, or open the toolbar popup to search and copy. - A **web app** ([tech-sumit.github.io/promptvault](https://tech-sumit.github.io/promptvault)) that manages the same library — full CRUD, categories, search, import/export, drag-and-drop media. Both read and write the **same vault in your Google Drive**, so your prompts follow you between the two. Items are organized into six fixed categories — `preface`, `guardrail`, `system`, `personal`, `snippet`, and `media` — each with a title, body (Markdown), optional link, tags, and an optional media attachment. --- ## Architecture: Bring Your Own Storage The whole design follows from one rule: **the user's data lives in the user's storage.** There is no application database because there is no application server. ```mermaid graph TD subgraph drive ["Your Google Drive — /PromptVault folder"] VJ["vault.json
prompts + metadata"] MED["media files
(images you attach)"] VJ -. "DriveRef: id, link, thumb" .-> MED end subgraph clients ["Client-side only — no backend, no database"] EXT["Browser Extension
MV3: service worker · content
popup · dashboard"] WEB["Web App
Svelte + Vite → GitHub Pages"] CORE["@promptvault/core
vault · drive · merge · model · markdown"] end EXT --> CORE WEB --> CORE CORE -- "read / write vault.json
(revision + merge)" --> VJ CORE -- "multipart upload · blob fetch" --> MED AUTH["Google OAuth — implicit grant
drive.file + userinfo.email"] --> CORE ``` ### The storage model A media item's bytes are uploaded to your Drive's `PromptVault` folder; the vault stores only a lightweight `DriveRef` — the file id, a link, and a thumbnail reference. Prompt text and metadata live in a single `vault.json` in the same folder. The app never holds your data; it holds a pointer into your Drive and a short-lived access token. ### Sync and conflict resolution `vault.json` is read and written through the Drive API with **revision tracking**. On write, the client passes the expected `headRevisionId`; if Drive has moved on (you edited from another device), it raises a `ConflictError`, and the client **merges** instead of clobbering. The merge is last-write-wins per item (newest `updated` timestamp wins) with **tombstones** so a delete on one device propagates instead of resurrecting. The extension also caches locally and syncs on a periodic `alarms` tick plus a debounced push after edits. ### One core, two front-ends `@promptvault/core` is the shared brain — the vault, the Drive client (multipart upload, blob download, vault read/write), the merge logic, the data model, and a small XSS-safe Markdown renderer. The **extension** is vanilla JS (Manifest V3, no framework, loads as "unpacked" with zero build step beyond bundling). The **web app** is Svelte + Vite. Both depend on the exact same core, so behavior can't drift between them. ### Inside the extension - **Service worker** — builds the right-click menus, routes a chosen prompt to the active tab, and runs background Drive sync. - **Content script** — pastes into the page. Text is inserted at the caret via the **native value setter** plus a bubbling `input` event, so React-controlled editors (ChatGPT/Claude/Gemini) actually register the change. Images are re-encoded to **PNG** (Chrome's clipboard `write()` only accepts PNG) and pasted via `execCommand` — which works in a content script thanks to the `clipboardWrite`/`clipboardRead` permissions. - **Popup / dashboard / onboarding** — search-and-copy, full management with Markdown rendering and lazy Drive-image previews, and a one-click "Connect Google Drive" flow. The extension ID is **pinned via a manifest key** so dev builds and the published build share one identity, and CI produces a **signed CRX** for self-distribution alongside the Web Store zip. --- ## How to Use It ### The web app (nothing to install) 1. Open **[tech-sumit.github.io/promptvault/app](https://tech-sumit.github.io/promptvault/app)**. 2. Click **Sign in with Google**. PromptVault creates a `PromptVault` folder in your Drive. 3. Add items — text prompts, links, or drag-and-drop an image to attach media. 4. Hit **Copy** on any item and paste it wherever you're working. ### The browser extension 1. Load it (Web Store, or load the `dist/` folder unpacked) and click **Connect Google Drive** — one click, no setup, no Client ID to create. 2. **Paste into any field:** right-click in a composer → **Paste from PromptVault** → pick an item. Text drops straight in at the caret; an image is copied so you press ⌘/Ctrl+V. 3. **Copy from the popup:** open the toolbar popup, search, and **Copy** — then paste anywhere, including `chrome://` pages and built-in AI boxes where no extension can inject. 4. **Capture from the web:** right-click selected text → **Save selection to PromptVault**, or right-click any image → **Save image to PromptVault** (it uploads to your Drive and adds a media item). Your prompts sync through your own Drive, so the extension and the web app always show the same library. --- ## Security and Privacy This is the part I care about most, because a prompt manager sees text you trust to AI tools. The design is built so that **there is almost nothing to trust me with.** - **No backend, no database.** Your prompts and media live in *your* Google Drive. I run no server, so there is no copy of your data anywhere I control. - **`drive.file` least-privilege scope.** The app can only access files **it created** — the `PromptVault` folder and nothing else. It is technically incapable of reading the rest of your Drive. (This also keeps it clear of Google's restricted-scope review.) - **`userinfo.email` only**, used solely to show which account you connected. - **OAuth implicit grant, no client secret.** Sign-in uses `chrome.identity.launchWebAuthFlow` with a **public** client ID. There is no secret embedded in the extension — there's nothing to extract from the package. - **Tokens stay local.** The access token is cached in `chrome.storage.local` (extension) / `localStorage` (web). **Disconnect revokes the token** and clears it. - **No telemetry, no analytics, no third-party calls** — the only network requests are to the Google APIs you authorized. - **Untrusted text is escaped.** Saved and captured content is HTML-escaped before rendering (the Markdown renderer escapes first, then formats, and only allows `http(s)` links) — no `innerHTML` of raw user text. - **Open source.** The whole thing is on GitHub; you can read exactly what it does before you connect anything. The summary: *bring your own storage, least privilege, no secrets, no servers.* --- ## Tech Stack | Layer | Choice | |---|---| | Extension | Manifest V3, vanilla JS (ES2020+), esbuild bundling, loads unpacked | | Web app | Svelte 4 + Vite, deployed to GitHub Pages | | Shared core | `@promptvault/core` — vault, Drive client, CRDT-ish merge, model, Markdown | | Storage | Your Google Drive (`vault.json` + media); `chrome.storage` cache | | Auth | Google OAuth 2.0 implicit grant · `drive.file` + `userinfo.email` | | CI/CD | GitHub Actions — web → GitHub Pages, extension → signed CRX + zip on tag | | Design | Shared `theme.css` token system, system-aware dark/light | --- ## What's Next - Chrome Web Store listing (the package and signed CRX are already built by CI). - Per-site auto-insert for image attachments into the major AI composers. - Optional end-to-end encryption of `vault.json` for users who want their prompts unreadable even to Google. PromptVault is open source — if a no-backend, your-storage prompt manager is the kind of thing you'd use, the code and the live app are both linked below. **Live app:** [tech-sumit.github.io/promptvault](https://tech-sumit.github.io/promptvault) **Source:** [github.com/tech-sumit/promptvault](https://github.com/tech-sumit/promptvault)