Docs Are Context, Not Secret Stores
Operational documents naturally collect knowledge: deployment steps, rollback commands, vendor contacts, and the names of credentials used by each system. The problem starts when a page also contains the plaintext staging password or production token "just for now." After a few months, nobody knows which copied value is current.
That drift becomes visible during incidents. A responder finds a token in an old runbook, a newer token in a project page, and a third copy in a contractor handoff. The team now has a documentation problem and a rotation problem at the same time.
References Instead of Plaintext
Vault pages can include structured secret references. The page explains which credential matters and where it is used, while the secret value remains governed by workspace membership, visibility, and explicit secret permissions. Reading the page does not automatically grant reveal access.
Permission Boundaries
Document permissions and secret permissions are not the same operational decision. A developer may need to read an onboarding page without seeing the production payment provider key. A contractor may need a deployment checklist for staging but should lose access when the workspace membership is disabled. Vault keeps those boundaries in the application model.
Rotation and Audit
If a value leaks into a page or ticket, Vault treats rotation as replacement rather than overwriting the existing credential. That preserves the relationship between the old and new secret, making it easier to investigate stale references, copied values, and reveal activity after an incident.
Which Environment Each Tool Fits Best
Notion fits general documentation, planning, and team knowledge work. Vault fits operational documentation where pages need to point at secrets while preserving workspace boundaries, explicit reveal permissions, rotation history, immutable audit events, and cleanup after leaked or copied credentials.