diff --git a/.gitignore b/.gitignore
index 7b5a9d41..e4a8ecf3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -349,3 +349,6 @@ Vault/wwwroot/js/dist/
 
 # Development settings
 appsettings.Development.json
+
+# Database releases
+!db/releases
diff --git a/Vault.ruleset b/Vault.ruleset
index 0445ad3a..62cf857a 100644
--- a/Vault.ruleset
+++ b/Vault.ruleset
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
-<RuleSet Name="Vault" ToolsVersion="16.0">
-  <Rules AnalyzerId="Microsoft.CodeAnalysis.NetAnalyzers" RuleNamespace="Microsoft.CodeAnalysis.NetAnalyzers">
-    <Rule Id="CA1014" Action="None" />
+<RuleSet Name="Vault" ToolsVersion="17.0">
+  <Rules AnalyzerId="Microsoft.CodeAnalysis.CSharp.Features" RuleNamespace="Microsoft.CodeAnalysis.CSharp.Features">
+    <Rule Id="IDE0290" Action="None" />
   </Rules>
   <Rules AnalyzerId="Microsoft.CodeQuality.Analyzers" RuleNamespace="Microsoft.CodeQuality.Analyzers">
     <Rule Id="CA2007" Action="None" />
diff --git a/Vault/Controllers/CredentialsController.cs b/Vault/Controllers/CredentialsController.cs
index e5e3989a..2987d8cd 100644
--- a/Vault/Controllers/CredentialsController.cs
+++ b/Vault/Controllers/CredentialsController.cs
@@ -1,4 +1,6 @@
 using System;
+using System.Collections.Generic;
+using System.Linq;
 using System.Threading.Tasks;
 using Dapper;
 using Microsoft.AspNetCore.Mvc;
@@ -14,12 +16,45 @@ public class CredentialsController : Controller
         public CredentialsController(IConnectionFactory cf) =>
             _db = new SqlExecutor(cf);
 
+        public async Task<ActionResult> ReadTagIndex(string userId) =>
+            await _db.ResultAsJson(async conn => {
+                var reader = await conn.QueryMultipleAsync(SqlStatements.TagIndex, new { UserID = userId });
+
+                var tags = await reader.ReadAsync<(string TagID, string Label)>();
+                var index = await reader.ReadAsync<(string TagID, string CredentialID)>();
+
+                return new {
+                    tags = tags.Select(t => new {
+                        t.TagID,
+                        t.Label,
+                    }),
+                    index = index
+                        .GroupBy(i => i.TagID)
+                        .ToDictionary(g => g.Key, g => g.Select(i => i.CredentialID))
+                };
+            });
+
         [HttpPost]
         public async Task<ActionResult> Create([FromBody] Credential model) =>
-            await _db.ResultAsJson(conn => conn.ExecuteAsync(SqlStatements.Insert, model.WithNewID()));
+            await _db.ResultAsJson(async conn => {
+                var c = model.WithNewID();
+                var a = await conn.ExecuteAsync(SqlStatements.Insert, c);
+                var b = await conn.ExecuteAsync(SqlStatements.TagsToCredential, c.TagArray);
+                return a + b;
+            });
 
         public async Task<ActionResult> Read(string id) =>
-            await _db.ResultAsJson(conn => conn.QuerySingleOrDefaultAsync<Credential>(SqlStatements.SelectSingle, new { CredentialID = id }));
+            await _db.ResultAsJson(async conn => {
+                var reader = await conn.QueryMultipleAsync(SqlStatements.SelectSingle, new { CredentialID = id });
+
+                var credential = await reader.ReadSingleAsync<Credential>();
+                var tags = await reader.ReadAsync<(string TagID, string Label)>();
+
+                credential.Tags = string.Join('|', tags.Select(t => t.TagID));
+                credential.TagDisplay = string.Join('|', tags.Select(t => t.Label));
+
+                return credential;
+            });
 
         public async Task<ActionResult> ReadAll(string userId) =>
             await _db.ResultAsJson(conn => conn.QueryAsync<Credential>(SqlStatements.Select, new { UserID = userId }));
@@ -29,7 +64,12 @@ public async Task<ActionResult> ReadSummaries(string userId) =>
 
         [HttpPost]
         public async Task<ActionResult> Update([FromBody] Credential model) =>
-            await _db.ResultAsJson(conn => conn.ExecuteAsync(SqlStatements.Update, model));
+            await _db.ResultAsJson(async conn => {
+                var a = await conn.ExecuteAsync(SqlStatements.Update, model);
+                var b = await conn.ExecuteAsync(SqlStatements.DeleteTagsFromCredential, model);
+                var c = await conn.ExecuteAsync(SqlStatements.TagsToCredential, model.TagArray);
+                return a + b + c;
+            });
 
         [HttpPost]
         public async Task<ActionResult> Import([FromBody] ImportViewModel model) =>
diff --git a/Vault/Models/Credential.cs b/Vault/Models/Credential.cs
index af961469..d47d24d7 100644
--- a/Vault/Models/Credential.cs
+++ b/Vault/Models/Credential.cs
@@ -1,5 +1,6 @@
 using System;
 using System.ComponentModel;
+using System.Linq;
 
 namespace Vault.Models
 {
@@ -19,6 +20,7 @@ public Credential()
             UserDefined2 = "{{UserDefined2}}";
             Notes = "{{Notes}}";
             PwdOptions = "{{PwdOptions}}";
+            Tags = "{{Tags}}";
         }
 
         public string CredentialID { get; set; }
@@ -50,6 +52,15 @@ public Credential()
 
         public string PwdOptions { get; set; }
 
+        public string Tags { get; set; }
+
+        public string TagDisplay { get; set; }
+
+        public object[] TagArray =>
+            Tags?
+                .Split('|', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)
+                .Select(t => new { TagID = t, CredentialID }).ToArray() ?? [];
+
         public Credential WithNewID()
         {
             var credentialWithGuid = (Credential)MemberwiseClone();
diff --git a/Vault/Models/CredentialSummary.cs b/Vault/Models/CredentialSummary.cs
index 85b5ddf0..a9e74a2d 100644
--- a/Vault/Models/CredentialSummary.cs
+++ b/Vault/Models/CredentialSummary.cs
@@ -4,8 +4,6 @@ public class CredentialSummary
     {
         public string CredentialID { get; set; }
 
-        public string UserID { get; set; }
-
         public string Description { get; set; }
 
         public string Username { get; set; }
diff --git a/Vault/Models/DatabaseType.cs b/Vault/Models/DatabaseType.cs
new file mode 100644
index 00000000..62916905
--- /dev/null
+++ b/Vault/Models/DatabaseType.cs
@@ -0,0 +1,13 @@
+namespace Vault.Models
+{
+#pragma warning disable SA1602 // Enumeration items should be documented
+    public enum DatabaseType
+    {
+        Unknown,
+
+        SQLite,
+
+        SqlServer
+    }
+#pragma warning restore SA1602 // Enumeration items should be documented
+}
diff --git a/Vault/Models/LoginResult.cs b/Vault/Models/LoginResult.cs
index 0538d6c0..939a750a 100644
--- a/Vault/Models/LoginResult.cs
+++ b/Vault/Models/LoginResult.cs
@@ -6,7 +6,7 @@ public LoginResult(string userID) =>
             UserID = userID;
 
         public static LoginResult Failed =>
-            new (null);
+            new(null);
 
         public string UserID { get; }
 
diff --git a/Vault/Startup.cs b/Vault/Startup.cs
index e76c9473..06100074 100644
--- a/Vault/Startup.cs
+++ b/Vault/Startup.cs
@@ -7,6 +7,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Newtonsoft.Json.Serialization;
+using Vault.Models;
 using Vault.Support;
 
 namespace Vault
@@ -32,9 +33,11 @@ public void ConfigureServices(IServiceCollection services)
 
             services.AddMvc(options => options.Filters.Add<ProtectWithSecurityKeyFilter>());
 
+            SqlStatements.DatabaseType = Configuration["DbType"] == "SQLite" ? DatabaseType.SQLite : DatabaseType.SqlServer;
+
             var connectionString = Configuration.GetConnectionString("Main");
 
-            var connectionFactory = Configuration["DbType"] == "SQLite"
+            var connectionFactory = SqlStatements.DatabaseType == DatabaseType.SQLite
                 ? new Func<IServiceProvider, IConnectionFactory>(_ => new SQLiteConnectionFactory(connectionString))
                 : _ => new SqlConnectionFactory(connectionString);
 
diff --git a/Vault/Support/InlineJsGlobalSerializer.cs b/Vault/Support/InlineJsGlobalSerializer.cs
index 93ef5edf..105e819b 100644
--- a/Vault/Support/InlineJsGlobalSerializer.cs
+++ b/Vault/Support/InlineJsGlobalSerializer.cs
@@ -10,7 +10,7 @@ namespace Vault.Support
     public static class InlineJsGlobalSerializer
     {
         private static readonly JsonSerializerSettings _settings =
-            new () {
+            new() {
                 NullValueHandling = NullValueHandling.Ignore,
                 ContractResolver = new DefaultContractResolver {
                     NamingStrategy = new CamelCaseNamingStrategy()
@@ -40,7 +40,7 @@ public static string AsJson(this object o)
         }
 
         private static JsonTextWriter GetJsonWriter(StringWriter sw) =>
-            new (sw) {
+            new(sw) {
                 Formatting = Formatting.Indented,
                 IndentChar = ' ',
                 Indentation = 4,
diff --git a/Vault/Support/SqlStatements.cs b/Vault/Support/SqlStatements.cs
index e8973816..c56503bb 100644
--- a/Vault/Support/SqlStatements.cs
+++ b/Vault/Support/SqlStatements.cs
@@ -1,11 +1,13 @@
-namespace Vault.Support
+using System;
+using Vault.Models;
+
+namespace Vault.Support
 {
     public static class SqlStatements
     {
         public const string SelectSummary =
             @"SELECT
                   CredentialID,
-                  UserID,
                   Description,
                   Username,
                   Password,
@@ -19,38 +21,60 @@ public static class SqlStatements
             "SELECT * FROM Credentials WHERE UserID = @UserID";
 
         public const string SelectSingle =
-            "SELECT * FROM Credentials WHERE CredentialID = @CredentialID";
+            """
+            SELECT
+                *
+            FROM
+                Credentials
+            WHERE
+                CredentialID = @CredentialID;
+
+            SELECT
+                tc.TagID,
+                t.Label
+            FROM
+                Tags_Credentials tc
+            INNER JOIN
+                Tags t
+                    ON t.TagID = tc.TagID
+            WHERE
+                tc.CredentialID = @CredentialID
+            ORDER BY
+                t.Label;
+            """;
 
         public const string Insert =
-            @"INSERT INTO
-                  Credentials (
-                      CredentialID,
-                      UserID,
-                      Description,
-                      Username,
-                      Password,
-                      Url,
-                      UserDefined1Label,
-                      UserDefined1,
-                      UserDefined2Label,
-                      UserDefined2,
-                      Notes,
-                      PwdOptions
-                  )
-              VALUES (
-                  @CredentialID,
-                  @UserID,
-                  @Description,
-                  @Username,
-                  @Password,
-                  @Url,
-                  @UserDefined1Label,
-                  @UserDefined1,
-                  @UserDefined2Label,
-                  @UserDefined2,
-                  @Notes,
-                  @PwdOptions
-              )";
+            """
+            INSERT INTO
+                Credentials (
+                    CredentialID,
+                    UserID,
+                    Description,
+                    Username,
+                    Password,
+                    Url,
+                    UserDefined1Label,
+                    UserDefined1,
+                    UserDefined2Label,
+                    UserDefined2,
+                    Notes,
+                    PwdOptions
+                )
+            VALUES (
+                @CredentialID,
+                @UserID,
+                @Description,
+                @Username,
+                @Password,
+                @Url,
+                @UserDefined1Label,
+                @UserDefined1,
+                @UserDefined2Label,
+                @UserDefined2,
+                @Notes,
+                @PwdOptions
+            );
+            """;
 
         public const string Update =
             @"UPDATE
@@ -77,5 +101,54 @@ public static class SqlStatements
 
         public const string Login =
             "SELECT UserID FROM Users WHERE Username = @Username AND Password = @Password";
+
+        public const string TagIndex =
+            """
+            SELECT
+                TagID,
+                Label
+            FROM
+                Tags
+            WHERE
+                UserID = @UserID
+            ORDER BY
+                Label;
+
+            SELECT
+                tc.TagID,
+                tc.CredentialID
+            FROM
+                Tags_Credentials tc
+            INNER JOIN
+                Tags t
+                    ON t.TagID = tc.TagID
+            WHERE
+                t.UserID = @UserID
+            ORDER BY
+                t.Label;
+            """;
+
+        public const string DeleteTagsFromCredential =
+            """
+            DELETE FROM
+                Tags_Credentials
+            WHERE
+                CredentialID = @CredentialID;
+            """;
+
+        public const string TagsToCredential =
+            """
+            INSERT INTO
+                Tags_Credentials (
+                    TagID,
+                    CredentialID
+                )
+            VALUES (
+                @TagID,
+                @CredentialID
+            );
+            """;
+
+        public static DatabaseType DatabaseType { get; internal set; }
     }
 }
diff --git a/Vault/Vault.csproj b/Vault/Vault.csproj
index e61a545a..68f9c9cf 100644
--- a/Vault/Vault.csproj
+++ b/Vault/Vault.csproj
@@ -21,16 +21,16 @@
     </ItemGroup>
 
     <ItemGroup>
-        <PackageReference Include="Dapper" Version="2.1.28" />
-        <PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="8.0.2" />
-        <PackageReference Include="Microsoft.Data.SqlClient" Version="5.1.5" />
-        <PackageReference Include="Microsoft.TypeScript.MSBuild" Version="5.3.3">
+        <PackageReference Include="Dapper" Version="2.1.35" />
+        <PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="8.0.6" />
+        <PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.1" />
+        <PackageReference Include="Microsoft.TypeScript.MSBuild" Version="5.4.5">
             <PrivateAssets>all</PrivateAssets>
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
         <PackageReference Include="Microsoft.VisualStudio.Validation" Version="17.8.8" />
         <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
-        <PackageReference Include="StyleCop.Analyzers" Version="1.1.118">
+        <PackageReference Include="StyleCop.Analyzers" Version="1.2.0-beta.556">
             <PrivateAssets>all</PrivateAssets>
             <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
         </PackageReference>
diff --git a/Vault/Views/Home/GenerateVaultCredential.cshtml b/Vault/Views/Home/GenerateVaultCredential.cshtml
index 50216fc6..82668dbb 100644
--- a/Vault/Views/Home/GenerateVaultCredential.cshtml
+++ b/Vault/Views/Home/GenerateVaultCredential.cshtml
@@ -59,7 +59,7 @@
 
 @section foot {
 
-    <script src="~/js/dist/GenerateVaultCredential.min.js" asp-append-version="true" integrity="sha512-9OWfKRWszrMsJVs9BfTvW0UVWrtwFoMza9yBfydxO2nKWBc8egYdmqIb1R+qk5c/fhKqb8RU69Ix4V24vSrZwg=="></script>
+    <script src="~/js/dist/GenerateVaultCredential.min.js" asp-append-version="true" integrity="sha512-23UXvk9rGJ+cQqYRdNSJ1OGFQg0i2IlfETQAiPiRJY8STjomBunAKlPzh82vMdxAsVHhuyFKBTYRXROxZd8kDg=="></script>
 
     <div class="modal-backdrop show"></div>
 
diff --git a/Vault/Views/Home/Index.cshtml b/Vault/Views/Home/Index.cshtml
index 2fc68b44..b561bdff 100644
--- a/Vault/Views/Home/Index.cshtml
+++ b/Vault/Views/Home/Index.cshtml
@@ -20,6 +20,6 @@
         var _VAULT_GLOBALS = @Html.Raw(Model.AsJson());
     </script>
 
-    <script src="~/js/dist/Index.min.js" asp-append-version="true" integrity="sha512-UEtyhazndztA2yrv+IH6Z/dqZelvww/TTBVcCmgIO1EUzJey4fh7b1gskCFJDepKUp7cY4iCCFvqi1JxXI345A=="></script>
+    <script src="~/js/dist/Index.min.js" asp-append-version="true" integrity="sha512-JRoo5LPc8JUVUptWJbAqIZpbVwt7xeoW9Sy687sV+XFzIveba9Tcli48CvpWjD+qjzQFw9+OdboKeo9AU18MAg=="></script>
 
 }
diff --git a/Vault/Views/Shared/_ClientTemplates.cshtml b/Vault/Views/Shared/_ClientTemplates.cshtml
index f2fce0fb..dd77cb58 100644
--- a/Vault/Views/Shared/_ClientTemplates.cshtml
+++ b/Vault/Views/Shared/_ClientTemplates.cshtml
@@ -88,6 +88,17 @@
         <div class="col-md-@(DataColumnWidthMD)">{{breaklines Notes}}</div>
     </div>
     {{/if}}
+
+    {{#if TagDisplay}}
+    <div class="row row-detail mb-@(RowMargin) mb-md-@(RowMarginMD)">
+        <div class="col-md-@(LabelColumnWidthMD) @(LabelVisualEffectClasses)">Tags</div>
+        <div class="col-md-@(DataColumnWidthMD)">
+            {{#each TagDisplay}}
+                <div class="mab-bootstrap-taginput-tag mab-bootstrap-taginput-tag no-margin">{{Label}}</div>
+            {{/each}}
+        </div>
+    </div>
+    {{/if}}
 </script>
 
 <script id="tmpl-credentialform" type="text/html">
diff --git a/Vault/Views/Shared/_CredentialForm.cshtml b/Vault/Views/Shared/_CredentialForm.cshtml
index 193318ab..5b3599ed 100644
--- a/Vault/Views/Shared/_CredentialForm.cshtml
+++ b/Vault/Views/Shared/_CredentialForm.cshtml
@@ -10,6 +10,14 @@
         </div>
     </div>
 
+    <div class="row mb-md-@(RowMarginMD)">
+        <label asp-for="Tags" class="col-md-@(LabelColumnWidthMD) col-form-label @(LabelVisualEffectClasses)"></label>
+        <div class="col-md-@(FieldColumnWidthMD)">
+            <input asp-for="Tags" type="text" class="form-control" autocomplete="off" required />
+            <div class="invalid-feedback">Please enter a description</div>
+        </div>
+    </div>
+
     <div class="row mb-md-@(RowMarginMD)">
         <label asp-for="Username" class="col-md-@(LabelColumnWidthMD) col-form-label @(LabelVisualEffectClasses)"></label>
         <div class="col-md-@(FieldColumnWidthMD)">
diff --git a/Vault/Views/Shared/_StaticHtml.cshtml b/Vault/Views/Shared/_StaticHtml.cshtml
index dd1e96de..3fa9c11b 100644
--- a/Vault/Views/Shared/_StaticHtml.cshtml
+++ b/Vault/Views/Shared/_StaticHtml.cshtml
@@ -5,7 +5,13 @@
 </div>
 
 <div class="row d-none mt-3" id="controls">
-    <div class="col-md-8">
+    <div class="col-md-12">
+        <label class="visually-hidden" for="tags">Tags</label>
+        <div>
+            <input type="text" id="tags" name="tags" class="form-control" placeholder="Tags..." autocomplete="off" />
+        </div>
+    </div>
+    <div class="col-md-8 mt-3">
         <label class="visually-hidden" for="search">Search</label>
         <div class="search-input">
             <input type="text" id="search" name="search" class="form-control" placeholder="Search..." autocomplete="off" />
@@ -14,13 +20,13 @@
             </button>
         </div>
     </div>
-    <div class="col-md-2 mt-2 mt-md-0">
+    <div class="col-md-2 mt-3">
         <label class="visually-hidden" for="new">New Item</label>
         <button id="new" class="btn btn-primary w-100">
             <span class="bi bi-plus-lg"></span> New
         </button>
     </div>
-    <div class="col-md-2 mt-2 mt-md-0">
+    <div class="col-md-2 mt-3">
         <label class="visually-hidden" for="admin">Admin</label>
         <button id="admin" class="btn btn-outline-secondary w-100">
             <i class="bi bi-gear"></i> Admin
diff --git a/Vault/package-lock.json b/Vault/package-lock.json
index 8e79d534..eb2ec2e9 100644
--- a/Vault/package-lock.json
+++ b/Vault/package-lock.json
@@ -12,7 +12,8 @@
                 "bootstrap-icons": "^1.11.3",
                 "clipboard": "^2.0.11",
                 "handlebars": "^4.7.8",
-                "mab-dom": "^0.12.1",
+                "mab-bootstrap-taginput": "^0.8.5",
+                "mab-dom": "^0.12.2",
                 "tslib": "^2.6.3"
             },
             "devDependencies": {
@@ -36,7 +37,7 @@
                 "postcss": "^8.4.38",
                 "sass": "^1.77.5",
                 "source-map-loader": "^5.0.0",
-                "ts-jest": "^29.1.4",
+                "ts-jest": "^29.1.5",
                 "ts-loader": "^9.5.1",
                 "ts-node": "^10.9.2",
                 "typescript": "^5.4.5",
@@ -6623,10 +6624,18 @@
                 "es5-ext": "~0.10.2"
             }
         },
+        "node_modules/mab-bootstrap-taginput": {
+            "version": "0.8.5",
+            "resolved": "https://registry.npmjs.org/mab-bootstrap-taginput/-/mab-bootstrap-taginput-0.8.5.tgz",
+            "integrity": "sha512-b/x38gSH/Vfc/AUGmX1lBRfVi9uBcifKSUC5v11O5h6jvo7laOntdQA+vyBZrPUZphxndUGzBuiJ93p9d+EX7A==",
+            "dependencies": {
+                "mustache": "^4.2.0"
+            }
+        },
         "node_modules/mab-dom": {
-            "version": "0.12.1",
-            "resolved": "https://registry.npmjs.org/mab-dom/-/mab-dom-0.12.1.tgz",
-            "integrity": "sha512-PtIog+iqdg5TX+q+Ns4EdQZNruNM2OeQ1XfrgyHd+UWhoVIX0p+Pyr3auSELEuLjOV4zPtU8X6cRq4mm4yz6tw=="
+            "version": "0.12.2",
+            "resolved": "https://registry.npmjs.org/mab-dom/-/mab-dom-0.12.2.tgz",
+            "integrity": "sha512-tOLHTzT8gcF6pSvfdDchFREVPU3PLJsQ3n7dbO4hpvVZvIQs+DVZJYl2e5ckKUjFAgkX34C8S5h7WhxXSHcB3Q=="
         },
         "node_modules/make-dir": {
             "version": "4.0.0",
@@ -6897,6 +6906,14 @@
             "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
             "dev": true
         },
+        "node_modules/mustache": {
+            "version": "4.2.0",
+            "resolved": "https://registry.npmjs.org/mustache/-/mustache-4.2.0.tgz",
+            "integrity": "sha512-71ippSywq5Yb7/tVYyGbkBggbU8H3u5Rz56fH60jGFgr8uHwxs+aSKeqmluIVzM0m0kB7xQjKS6qPfd0b2ZoqQ==",
+            "bin": {
+                "mustache": "bin/mustache"
+            }
+        },
         "node_modules/mute-stdout": {
             "version": "2.0.0",
             "resolved": "https://registry.npmjs.org/mute-stdout/-/mute-stdout-2.0.0.tgz",
@@ -9534,9 +9551,9 @@
             }
         },
         "node_modules/ts-jest": {
-            "version": "29.1.4",
-            "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.1.4.tgz",
-            "integrity": "sha512-YiHwDhSvCiItoAgsKtoLFCuakDzDsJ1DLDnSouTaTmdOcOwIkSzbLXduaQ6M5DRVhuZC/NYaaZ/mtHbWMv/S6Q==",
+            "version": "29.1.5",
+            "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.1.5.tgz",
+            "integrity": "sha512-UuClSYxM7byvvYfyWdFI+/2UxMmwNyJb0NPkZPQE2hew3RurV7l7zURgOHAd/1I1ZdPpe3GUsXNXAcN8TFKSIg==",
             "dev": true,
             "dependencies": {
                 "bs-logger": "0.x",
diff --git a/Vault/package.json b/Vault/package.json
index 2fc4896d..3180d429 100644
--- a/Vault/package.json
+++ b/Vault/package.json
@@ -23,7 +23,7 @@
         "postcss": "^8.4.38",
         "sass": "^1.77.5",
         "source-map-loader": "^5.0.0",
-        "ts-jest": "^29.1.4",
+        "ts-jest": "^29.1.5",
         "ts-loader": "^9.5.1",
         "ts-node": "^10.9.2",
         "typescript": "^5.4.5",
@@ -35,7 +35,8 @@
         "bootstrap-icons": "^1.11.3",
         "clipboard": "^2.0.11",
         "handlebars": "^4.7.8",
-        "mab-dom": "^0.12.1",
+        "mab-bootstrap-taginput": "^0.8.5",
+        "mab-dom": "^0.12.2",
         "tslib": "^2.6.3"
     },
     "scripts": {
diff --git a/Vault/wwwroot/css/src/main.scss b/Vault/wwwroot/css/src/main.scss
index f19244e8..0e02a895 100644
--- a/Vault/wwwroot/css/src/main.scss
+++ b/Vault/wwwroot/css/src/main.scss
@@ -131,3 +131,105 @@
 .row-detail[class*="mb-"]:last-child {
     margin-bottom: 0 !important;
 }
+
+/* BEGIN MAB.Bootstrap.TagInput */
+
+.mab-bootstrap-taginput {
+    display: flex;
+    flex-wrap: wrap;
+    align-items: center;
+    cursor: text;
+}
+
+.mab-bootstrap-taginput.form-control {
+    line-height: normal;
+    height: auto;
+    padding-top: 0;
+}
+
+.mab-bootstrap-taginput-tag {
+    color: #fff;
+    background-color: #007bff;
+    display: inline-flex;
+    align-items: center;
+    padding: .15em .4em;
+    font-size: 90%;
+    font-weight: 700;
+    white-space: nowrap;
+    border-radius: .25rem;
+    margin-top: .365rem;
+    margin-right: 5px;
+    transition: background-color 1600ms ease-in;
+}
+
+.mab-bootstrap-taginput-tag.no-margin {
+    margin-top: 0;
+}
+
+.mab-bootstrap-taginput-tag .bi {
+    margin-left: 5px;
+    font-size: 80%;
+    cursor: pointer;
+    display: flex;
+}
+
+.mab-bootstrap-taginput-tag-warning {
+    background-color: #cc0000;
+    transition: none;
+}
+
+.mab-bootstrap-taginput-input {
+    border: solid 1px transparent;
+    outline: none;
+    width: 100px;
+    text-transform: lowercase;
+    padding: 0;
+    margin-top: .375rem;
+}
+
+.mab-bootstrap-taginput-input::placeholder {
+    text-transform: none;
+}
+
+.mab-bootstrap-taginput-input.mab-bootstrap-taginput-input-multicase {
+    text-transform: none;
+}
+
+.mab-bootstrap-taginput-input.mab-bootstrap-taginput-input-narrowed {
+    width: 1px;
+}
+
+.mab-bootstrap-taginput-input-container {
+    position: relative;
+}
+
+.mab-bootstrap-taginput-suggestions {
+    position: absolute;
+    top: 30px;
+    left: 0;
+    min-width: 200px;
+    min-height: 30px;
+    background-color: #fff;
+    border: solid 1px #e0e0e0;
+    border-radius: 3px;
+    padding: 3px 0;
+    box-shadow: 0px 0px 5px 0px rgba(0,0,0,0.25);
+    z-index: 10000;
+}
+
+.mab-bootstrap-taginput-suggestions-hidden {
+    display: none;
+}
+
+.mab-bootstrap-taginput-suggestion {
+    padding: 5px 10px;
+    cursor: pointer;
+}
+
+.mab-bootstrap-taginput-suggestion-selected,
+.mab-bootstrap-taginput-suggestion:hover {
+    background-color: #007bff;
+    color: #fff;
+}
+
+/* END MAB.Bootstrap.TagInput */
diff --git a/Vault/wwwroot/js/src/Index.ts b/Vault/wwwroot/js/src/Index.ts
index 2ea832c2..511888e8 100644
--- a/Vault/wwwroot/js/src/Index.ts
+++ b/Vault/wwwroot/js/src/Index.ts
@@ -1,5 +1,6 @@
 import * as Handlebars from 'handlebars';
 import { dom, DOM, DOMEvent } from 'mab-dom';
+import { TagInput } from 'mab-bootstrap-taginput';
 import { Modal } from 'bootstrap';
 import Clipboard from 'clipboard';
 import {
@@ -20,6 +21,8 @@ import {
 import {
     ICredential,
     ISecurityKeyDetails,
+    ITag,
+    ITagIndex,
     PasswordSpecification,
     Repository
 } from './types/all';
@@ -49,6 +52,7 @@ interface IVaultUIElements {
     clearSearchButton: DOM;
     searchInput: DOM;
     spinner: DOM;
+    tagsInput: TagInput<ITag>;
 }
 
 interface IVaultUITemplates {
@@ -108,7 +112,8 @@ const ui: IVaultUIElements = {
     adminButton: dom('#admin'),
     clearSearchButton: dom('#clear-search'),
     searchInput: dom('#search'),
-    spinner: dom('#spinner')
+    spinner: dom('#spinner'),
+    tagsInput: null
 };
 
 const templates: IVaultUITemplates = {
@@ -143,6 +148,8 @@ Handlebars.registerHelper('truncate', (text: string, size: number) => {
 
 let currentSession: any = null;
 
+let tagIndex: ITagIndex = null;
+
 // Pure functions
 
 export function isChecked(el: DOM) {
@@ -220,9 +227,17 @@ function setSession() {
     currentSession = setTimeout(reloadApp, sessionTimeoutMs);
 }
 
-function search(query: string, credentials: ICredential[]) {
+function getTagIdListFromInput() {
+    const value = ui.tagsInput.getValue();
+
+    return value
+        ? value.split('|') as string[]
+        : [];
+}
+
+function search(query: string, tags: string[], credentials: ICredential[]) {
     const parsedQuery = parseSearchQuery(query);
-    const results = searchCredentials(parsedQuery, isWeakPassword, credentials);
+    const results = searchCredentials(parsedQuery, tagIndex, tags, isWeakPassword, credentials);
     return sortCredentials(results);
 }
 
@@ -253,7 +268,7 @@ function confirmDelete(id: string) {
                 return await repository.loadCredentialSummaryList();
             });
 
-            const results = search(ui.searchInput.val() as string, updatedCredentials);
+            const results = search(ui.searchInput.val(), getTagIdListFromInput(), updatedCredentials);
             updateCredentialListUI(ui.container, results);
 
             ui.modal.hide();
@@ -274,6 +289,16 @@ async function editCredential(credentialId: string) {
         }
     });
 
+    const tagInput = new TagInput<ITag>({
+        input: ui.modalContent.find('#Tags').get(0),
+        data: tagIndex.tags || [],
+        maxNumberOfSuggestions: 5,
+        getId: (item) => item.TagID,
+        getLabel: (item) => item.Label,
+        allowNewTags: false,
+        itemTemplate: '<div class="{{globalCssClassPrefix}}-tag" data-id="{{id}}" data-label="{{label}}">{{label}} <i class="{{globalCssClassPrefix}}-removetag bi bi-x"></i></div>'
+    });
+
     ui.modalContent.find('#Description').focus();
 
     showPasswordStrength(ui.modalContent.find('#Password'));
@@ -332,6 +357,10 @@ async function showDetail(credentialId: string) {
         '</table>'
     ];
 
+    const tagDisplay = credential.TagDisplay
+        ? credential.TagDisplay.split('|').map(t => ({ Label: t }))
+        : [];
+
     const detailHtml = templates.detail({
         Url: credential.Url,
         UrlHtml: urlHtml,
@@ -342,7 +371,8 @@ async function showDetail(credentialId: string) {
         UserDefined1Label: credential.UserDefined1Label,
         UserDefined2: credential.UserDefined2,
         UserDefined2Label: credential.UserDefined2Label,
-        Notes: credential.Notes
+        Notes: credential.Notes,
+        TagDisplay: tagDisplay
     });
 
     showModal({
@@ -458,6 +488,15 @@ ui.newButton.on('click', e => {
             (dom('#credential-form').get() as HTMLFormElement).requestSubmit();
         }
     });
+    const tagInput = new TagInput<ITag>({
+        input: ui.modalContent.find('#Tags').get(0),
+        data: tagIndex.tags || [],
+        maxNumberOfSuggestions: 5,
+        getId: (item) => item.TagID,
+        getLabel: (item) => item.Label,
+        allowNewTags: false,
+        itemTemplate: '<div class="{{globalCssClassPrefix}}-tag" data-id="{{id}}" data-label="{{label}}">{{label}} <i class="{{globalCssClassPrefix}}-removetag bi bi-x"></i></div>'
+    });
     ui.modalContent.find('#Description').focus();
     showPasswordStrength(ui.modalContent.find('#Password'));
     updatePasswordSpecificationOptionUI(ui.modalContent, defaultPasswordSpecification);
@@ -470,14 +509,16 @@ ui.adminButton.on('click', e => {
 
 ui.clearSearchButton.on('click', async e => {
     e.preventDefault();
-    updateCredentialListUI(ui.container, []);
-    ui.searchInput.val('')
+    ui.searchInput.val('');
+    const credentials = await withLoadSpinner(async () => await repository.loadCredentialSummaryList());
+    const results = search(ui.searchInput.val(), getTagIdListFromInput(), credentials);
+    updateCredentialListUI(ui.container, results);
     ui.searchInput.focus();
 });
 
 ui.searchInput.on('keyup', rateLimit(async e => {
     const credentials = await withLoadSpinner(async () => await repository.loadCredentialSummaryList());
-    const results = search(ui.searchInput.val(), credentials);
+    const results = search(ui.searchInput.val(), getTagIdListFromInput(), credentials);
     updateCredentialListUI(ui.container, results);
 }, 200));
 
@@ -499,6 +540,23 @@ ui.loginForm.on('submit', async e => {
         const loginResult = await repository.login(username, password);
 
         if (loginResult.Success) {
+            tagIndex = await repository.loadTagIndex();
+
+            ui.tagsInput = new TagInput<ITag>({
+                input: document.getElementById('tags'),
+                data: tagIndex.tags || [],
+                maxNumberOfSuggestions: 5,
+                getId: (item) => item.TagID,
+                getLabel: (item) => item.Label,
+                allowNewTags: false,
+                itemTemplate: '<div class="{{globalCssClassPrefix}}-tag" data-id="{{id}}" data-label="{{label}}">{{label}} <i class="{{globalCssClassPrefix}}-removetag bi bi-x"></i></div>',
+                onTagsChanged: async (instance, added, removed, selected) => {
+                    const credentials = await repository.loadCredentialSummaryList();
+                    const results = search(ui.searchInput.val(), getTagIdListFromInput(), credentials);
+                    updateCredentialListUI(ui.container, results);
+                }
+            });
+
             ui.loginForm.get().classList.add('d-none');
             ui.loginFormModal.hide();
             ui.controls.get().classList.remove('d-none');
@@ -543,9 +601,11 @@ ui.body.onchild('#credential-form', 'submit', async e => {
             await repository.updateCredential(credential);
         }
 
+        tagIndex = await repository.loadTagIndex();
+
         const updatedCredentials = await repository.loadCredentialSummaryList();
 
-        return search(ui.searchInput.val() as string, updatedCredentials);
+        return search(ui.searchInput.val(), getTagIdListFromInput(), updatedCredentials);
     });
 
     ui.modal.hide();
diff --git a/Vault/wwwroot/js/src/__tests__/vault.test.ts b/Vault/wwwroot/js/src/__tests__/vault.test.ts
index beba7da7..4226df5b 100644
--- a/Vault/wwwroot/js/src/__tests__/vault.test.ts
+++ b/Vault/wwwroot/js/src/__tests__/vault.test.ts
@@ -7,7 +7,7 @@ import {
     searchCredentials,
     sortCredentials
 } from '../modules/all';
-import { ICredential, PasswordSpecification } from '../types/all';
+import { ICredential, ITag, ITagIndex, PasswordSpecification } from '../types/all';
 import { FakeRepository } from '../types/FakeRepository';
 
 const testCredentialPlainText: ICredential = {
@@ -22,13 +22,18 @@ const testCredentialPlainText: ICredential = {
     UserDefined2Label: 'Custom 2',
     UserDefined2: 'CUSTOM2',
     Notes: 'Test Notes:\n\nThese are test notes.',
-    PwdOptions: '16|1|1|1|1'
+    PwdOptions: '16|1|1|1|1',
+    Tags: 'a|b|c'
 };
 
 function getTestCredentials(): ICredential[] {
     return new FakeRepository().credentials;
 }
 
+async function getTestTagIndex() {
+    return await new FakeRepository().loadTagIndex();
+}
+
 const nw = (password: string) => false;
 
 describe('Vault', () => {
@@ -67,14 +72,15 @@ describe('Vault', () => {
         expect(parsed.text).toBe('all');
     });
 
-    test('searchCredentials bad queries', () => {
+    test('searchCredentials bad queries', async () => {
         const testCredentials = getTestCredentials();
+        const testTagIndex = await getTestTagIndex();
 
-        const noresults1 = searchCredentials(null, nw, testCredentials);
-        const noresults2 = searchCredentials({ property: null, text: 'ABC' }, nw, testCredentials);
-        const noresults3 = searchCredentials({ property: 'Description', text: null }, nw, testCredentials);
-        const noresults4 = searchCredentials({ property: 'Description', text: 'Z' }, nw, testCredentials);
-        const noresults5 = searchCredentials({ property: 'FILTER', text: 'ABC' }, nw, testCredentials);
+        const noresults1 = searchCredentials(null, testTagIndex, [], nw, testCredentials);
+        const noresults2 = searchCredentials({ property: null, text: 'ABC' }, testTagIndex, [], nw, testCredentials);
+        const noresults3 = searchCredentials({ property: 'Description', text: null }, testTagIndex, [], nw, testCredentials);
+        const noresults4 = searchCredentials({ property: 'Description', text: 'Z' }, testTagIndex, [], nw, testCredentials);
+        const noresults5 = searchCredentials({ property: 'FILTER', text: 'ABC' }, testTagIndex, [], nw, testCredentials);
 
         expect(noresults1.length).toBe(0);
         expect(noresults2.length).toBe(0);
@@ -83,40 +89,45 @@ describe('Vault', () => {
         expect(noresults5.length).toBe(0);
     });
 
-    test('searchCredentials standard query', () => {
+    test('searchCredentials standard query', async () => {
         const testCredentials = getTestCredentials();
-        const results = searchCredentials({ property: 'Description', text: 'do' }, nw, testCredentials);
+        const testTagIndex = await getTestTagIndex();
+        const results = searchCredentials({ property: 'Description', text: 'do' }, testTagIndex, [], nw, testCredentials);
         expect(results.length).toBe(2);
         expect(results[0].Description).toBe('Dog');
         expect(results[1].Description).toBe('Dogfish');
     });
 
-    test('searchCredentials username query', () => {
+    test('searchCredentials username query', async () => {
         const testCredentials = getTestCredentials();
-        const results = searchCredentials({ property: 'Username', text: 'dog' }, nw, testCredentials);
+        const testTagIndex = await getTestTagIndex();
+        const results = searchCredentials({ property: 'Username', text: 'dog' }, testTagIndex, [], nw, testCredentials);
         expect(results.length).toBe(2);
         expect(results[0].Description).toBe('Dog');
         expect(results[1].Description).toBe('Dogfish');
     });
 
-    test('searchCredentials password query', () => {
+    test('searchCredentials password query', async () => {
         const testCredentials = getTestCredentials();
-        const results = searchCredentials({ property: 'Password', text: 'cat' }, nw, testCredentials);
+        const testTagIndex = await getTestTagIndex();
+        const results = searchCredentials({ property: 'Password', text: 'cat' }, testTagIndex, [], nw, testCredentials);
         expect(results.length).toBe(2);
         expect(results[0].Description).toBe('Cat');
         expect(results[1].Description).toBe('Catfish');
     });
 
-    test('searchCredentials all query', () => {
+    test('searchCredentials all query', async () => {
         const testCredentials = getTestCredentials();
-        const results = searchCredentials({ property: 'FILTER', text: 'all' }, nw, testCredentials);
+        const testTagIndex = await getTestTagIndex();
+        const results = searchCredentials({ property: 'FILTER', text: 'all' }, testTagIndex, [], nw, testCredentials);
         expect(results.length).toBe(6);
         expect(results[0].Description).toBe('Cat');
         expect(results[5].Description).toBe('Owl');
     });
 
-    test('searchCredentials weak password query', () => {
+    test('searchCredentials weak password query', async () => {
         const testCredentials = getTestCredentials();
+        const testTagIndex = await getTestTagIndex();
         testCredentials.push({
             CredentialID: 'TEST',
             UserID: 'user1',
@@ -124,12 +135,23 @@ describe('Vault', () => {
             Password: null
         });
         const isWeakPwd = (password: string) => !password || password.length < 7;
-        const results = searchCredentials({ property: 'FILTER', text: 'weak' }, isWeakPwd, testCredentials);
+        const results = searchCredentials({ property: 'FILTER', text: 'weak' }, testTagIndex, [], isWeakPwd, testCredentials);
         expect(results.length).toBe(2);
         expect(results[0].Description).toBe('Cat');
         expect(results[1].Description).toBe('Dog');
     });
 
+    test('searchCredentials tag query', async () => {
+        const testCredentials = getTestCredentials();
+        const testTagIndex = await getTestTagIndex();
+        const results = searchCredentials({ property: 'Description', text: '' }, testTagIndex, ['cat', 'fish'], nw, testCredentials);
+        expect(results.length).toBe(4);
+        expect(results[0].Description).toBe('Cat');
+        expect(results[1].Description).toBe('Fish');
+        expect(results[2].Description).toBe('Catfish');
+        expect(results[3].Description).toBe('Dogfish');
+    });
+
     test('mapToSummary', () => {
         const summary = mapToSummary(testCredentialPlainText, c => true);
         expect(summary.credentialid).toBe('361fe91a-3dca-4871-b69e-c41c31507c8c');
diff --git a/Vault/wwwroot/js/src/modules/Vault.ts b/Vault/wwwroot/js/src/modules/Vault.ts
index f8a8e77d..617cd08d 100644
--- a/Vault/wwwroot/js/src/modules/Vault.ts
+++ b/Vault/wwwroot/js/src/modules/Vault.ts
@@ -4,6 +4,7 @@
     ICredentialSummary,
     ICredentialValidationError,
     IDictionary,
+    ITagIndex,
     PasswordSpecification
 } from '../types/all';
 import { trim } from './Common';
@@ -47,23 +48,36 @@ export function parseSearchQuery(queryText: string) {
     return parsedQuery;
 }
 
-export function searchCredentials(query: ICredentialSearchQuery, isWeakPassword: (password: string) => boolean, list: ICredential[]) {
-    if (!query || !query.property || !query.text) {
+export function searchCredentials(query: ICredentialSearchQuery, tagIndex: ITagIndex, tags: string[], isWeakPassword: (password: string) => boolean, list: ICredential[]) {
+    const emptyQuery = !query || !query.property || !query.text;
+
+    if (!tags.length && emptyQuery) {
         return [];
     }
 
+    let tagged = list;
+
+    if (tags.length) {
+        const matches = tags.map(t => tagIndex.index.get(t)).flat();
+        tagged = list.filter(c => matches.includes(c.CredentialID));
+    }
+
+    if (emptyQuery) {
+        return tagged;
+    }
+
     if (query.property === 'FILTER') {
         switch (query.text) {
             case 'all':
-                return list;
+                return tagged;
             case 'weak':
-                return list.filter(c => c.Password && isWeakPassword(c.Password));
+                return tagged.filter(c => c.Password && isWeakPassword(c.Password));
             default:
                 return [];
         }
     }
 
-    return list.filter(item => item[query.property].toLowerCase().indexOf(query.text) > -1);
+    return tagged.filter(item => item[query.property].toLowerCase().indexOf(query.text) > -1);
 }
 
 export function mapToSummary(credential: ICredential, isWeakPassword: (password: string) => boolean) {
diff --git a/Vault/wwwroot/js/src/types/FakeRepository.ts b/Vault/wwwroot/js/src/types/FakeRepository.ts
index de8e6538..f0949a68 100644
--- a/Vault/wwwroot/js/src/types/FakeRepository.ts
+++ b/Vault/wwwroot/js/src/types/FakeRepository.ts
@@ -1,4 +1,4 @@
-import { ICredential, IRepository } from './all';
+import { ICredential, IRepository, ITag, ITagIndex } from './all';
 
 export class FakeRepository implements IRepository {
     public credentials: ICredential[];
@@ -16,7 +16,8 @@ export class FakeRepository implements IRepository {
             UserDefined2Label: 'Cat UD 1',
             UserDefined2: 'catud1',
             Notes: 'Cat notes',
-            PwdOptions: '12|1|1|1|1'
+            PwdOptions: '12|1|1|1|1',
+            Tags: 'cat'
         }, {
             CredentialID: 'cr2',
             UserID: 'user1',
@@ -29,7 +30,8 @@ export class FakeRepository implements IRepository {
             UserDefined2Label: 'Dog UD 1',
             UserDefined2: 'dogud1',
             Notes: 'Dog notes',
-            PwdOptions: '12|1|1|1|1'
+            PwdOptions: '12|1|1|1|1',
+            Tags: 'dog'
         }, {
             CredentialID: 'cr3',
             UserID: 'user1',
@@ -42,7 +44,8 @@ export class FakeRepository implements IRepository {
             UserDefined2Label: 'Fish UD 1',
             UserDefined2: 'fishud1',
             Notes: 'Fish notes',
-            PwdOptions: '12|1|1|1|1'
+            PwdOptions: '12|1|1|1|1',
+            Tags: 'fish'
         }, {
             CredentialID: 'cr4',
             UserID: 'user1',
@@ -55,7 +58,8 @@ export class FakeRepository implements IRepository {
             UserDefined2Label: 'Catfish UD 1',
             UserDefined2: 'catfishud1',
             Notes: 'Catfish notes',
-            PwdOptions: '12|1|1|1|1'
+            PwdOptions: '12|1|1|1|1',
+            Tags: 'cat|fish'
         }, {
             CredentialID: 'cr5',
             UserID: 'user1',
@@ -68,7 +72,8 @@ export class FakeRepository implements IRepository {
             UserDefined2Label: 'Dogfish UD 1',
             UserDefined2: 'dogfishud1',
             Notes: 'Dogfish notes',
-            PwdOptions: '12|1|1|1|1'
+            PwdOptions: '12|1|1|1|1',
+            Tags: 'dog|fish'
         }, {
             CredentialID: 'cr6',
             UserID: 'user1',
@@ -81,7 +86,8 @@ export class FakeRepository implements IRepository {
             UserDefined2Label: 'Owl UD 1',
             UserDefined2: 'owlud1',
             Notes: 'Owl notes',
-            PwdOptions: '12|1|1|1|1'
+            PwdOptions: '12|1|1|1|1',
+            Tags: ''
         }];
     }
 
@@ -89,6 +95,25 @@ export class FakeRepository implements IRepository {
         return { UserID: 'user1', Success: true };
     }
 
+    public async loadTagIndex() {
+        const map = new Map();
+
+        map.set('cat', ['cr1', 'cr4']);
+        map.set('dog', ['cr2', 'cr5']);
+        map.set('fish', ['cr3', 'cr4', 'cr5']);
+
+        const testTagIndex: ITagIndex = {
+            tags: [
+                { TagID: 'cat', Label: 'Cat' },
+                { TagID: 'dog', Label: 'Dog' },
+                { TagID: 'fish', Label: 'Fish' }
+            ],
+            index: map
+        };
+
+        return new Promise<ITagIndex>(resolve => resolve(testTagIndex));
+    }
+
     public async loadCredential(credentialId: string) {
         return this.credentials.filter(c => c.CredentialID === credentialId)[0];
     }
diff --git a/Vault/wwwroot/js/src/types/ICredential.ts b/Vault/wwwroot/js/src/types/ICredential.ts
index 3822ea73..05cd3497 100644
--- a/Vault/wwwroot/js/src/types/ICredential.ts
+++ b/Vault/wwwroot/js/src/types/ICredential.ts
@@ -11,5 +11,7 @@
     UserDefined2?: string;
     Notes?: string;
     PwdOptions?: string;
+    Tags?: string;
+    TagDisplay?: string;
     [propertyName: string]: string;
 }
diff --git a/Vault/wwwroot/js/src/types/IRepository.ts b/Vault/wwwroot/js/src/types/IRepository.ts
index 031dce2a..2ac645e0 100644
--- a/Vault/wwwroot/js/src/types/IRepository.ts
+++ b/Vault/wwwroot/js/src/types/IRepository.ts
@@ -1,8 +1,10 @@
-import { ICredential, ILoginResult } from './all';
+import { ICredential, ILoginResult, ITagIndex } from './all';
 
 export interface IRepository {
     login(hashedUsername: string, hashedPassword: string): Promise<ILoginResult>;
 
+    loadTagIndex(): Promise<ITagIndex>;
+
     loadCredential(credentialId: string): Promise<ICredential>;
     loadCredentialSummaryList(): Promise<ICredential[]>;
     loadCredentials(): Promise<ICredential[]>;
diff --git a/Vault/wwwroot/js/src/types/ITag.ts b/Vault/wwwroot/js/src/types/ITag.ts
new file mode 100644
index 00000000..1bae3e45
--- /dev/null
+++ b/Vault/wwwroot/js/src/types/ITag.ts
@@ -0,0 +1,4 @@
+export interface ITag {
+    TagID: string;
+    Label: string;
+}
diff --git a/Vault/wwwroot/js/src/types/ITagIndex.ts b/Vault/wwwroot/js/src/types/ITagIndex.ts
new file mode 100644
index 00000000..5aa49187
--- /dev/null
+++ b/Vault/wwwroot/js/src/types/ITagIndex.ts
@@ -0,0 +1,6 @@
+import { ITag } from './all';
+
+export interface ITagIndex {
+    tags: ITag[];
+    index: Map<string, string>;
+}
diff --git a/Vault/wwwroot/js/src/types/Repository.ts b/Vault/wwwroot/js/src/types/Repository.ts
index 42325239..f0ef2cf4 100644
--- a/Vault/wwwroot/js/src/types/Repository.ts
+++ b/Vault/wwwroot/js/src/types/Repository.ts
@@ -7,10 +7,10 @@
     hash,
     hex
 } from '../modules/all';
-import { ICredential, ILoginResult, IRepository, ISecurityKeyDetails } from '../types/all';
+import { ICredential, ILoginResult, IRepository, ISecurityKeyDetails, ITag, ITagIndex } from '../types/all';
 
 export class Repository implements IRepository {
-    private readonly encryptionExcludes = ['CredentialID', 'UserID'];
+    private readonly encryptionExcludes = ['CredentialID', 'UserID', 'Tags', 'TagArray', 'TagDisplay'];
 
     private userID: string;
     private password: string;
@@ -53,6 +53,28 @@ export class Repository implements IRepository {
         return loginResult;
     }
 
+    public async loadTagIndex() {
+        interface Temp {
+            tags: ITag[];
+            index: { [key: string]: string[] };
+        }
+
+        const data = await this.get<Temp>('Credentials/ReadTagIndex', { userId: this.userID });
+
+        const map = new Map();
+
+        for (const k in data.index) {
+            map.set(k, data.index[k]);
+        }
+
+        const index: ITagIndex = {
+            tags: data.tags,
+            index: map
+        };
+
+        return new Promise<ITagIndex>(resolve => resolve(index));
+    }
+
     public async loadCredential(credentialId: string) {
         const encryptedCredential = await this.get<ICredential>('Credentials/Read', { id: credentialId });
         return await decryptCredential(encryptedCredential, this.masterKey, this.encryptionExcludes);
diff --git a/Vault/wwwroot/js/src/types/all.ts b/Vault/wwwroot/js/src/types/all.ts
index 2d6fb5c5..af22b3be 100644
--- a/Vault/wwwroot/js/src/types/all.ts
+++ b/Vault/wwwroot/js/src/types/all.ts
@@ -6,5 +6,7 @@ export { IDictionary } from './IDictionary';
 export { ILoginResult } from './ILoginResult';
 export { IRepository } from './IRepository';
 export { ISecurityKeyDetails } from './ISecurityKeyDetails';
+export { ITag } from './ITag';
+export { ITagIndex } from './ITagIndex';
 export { PasswordSpecification } from './PasswordSpecification';
 export { Repository } from './Repository';
diff --git a/db/db.code-workspace b/db/db.code-workspace
new file mode 100644
index 00000000..876a1499
--- /dev/null
+++ b/db/db.code-workspace
@@ -0,0 +1,8 @@
+{
+	"folders": [
+		{
+			"path": "."
+		}
+	],
+	"settings": {}
+}
\ No newline at end of file
diff --git a/db/releases/003 Credential Tagging Implementation.sql b/db/releases/003 Credential Tagging Implementation.sql
new file mode 100644
index 00000000..f4b802a7
--- /dev/null
+++ b/db/releases/003 Credential Tagging Implementation.sql	
@@ -0,0 +1,25 @@
+ALTER TABLE Credentials ADD CONSTRAINT FK_tCredential_tUser FOREIGN KEY (UserID) REFERENCES Users (UserID)
+GO
+
+CREATE TABLE Tags (
+    TagID NVARCHAR(36) NOT NULL,
+    UserID NVARCHAR(36) NOT NULL,
+    Label NVARCHAR(64) NOT NULL,
+    CONSTRAINT PK_tTag PRIMARY KEY CLUSTERED (
+        TagID ASC
+    ),
+    CONSTRAINT FK_tTag_tUser FOREIGN KEY (UserID) REFERENCES Users (UserID)
+)
+GO
+
+CREATE TABLE Tags_Credentials (
+    TagID NVARCHAR(36) NOT NULL,
+    CredentialID NVARCHAR(36) NOT NULL,
+    CONSTRAINT PK_tTag_Credential PRIMARY KEY CLUSTERED (
+        TagID ASC,
+        CredentialID ASC
+    ),
+    CONSTRAINT FK_tTag_Credential_tTag FOREIGN KEY (TagID) REFERENCES Tags (TagID),
+    CONSTRAINT FK_tTag_Credential_tCredential FOREIGN KEY (CredentialID) REFERENCES Credentials (CredentialID)
+)
+GO
diff --git a/db/releases/sqlite/003 User Constraints.sql b/db/releases/sqlite/003 User Constraints.sql
new file mode 100644
index 00000000..4763e7bd
--- /dev/null
+++ b/db/releases/sqlite/003 User Constraints.sql	
@@ -0,0 +1,25 @@
+BEGIN;
+
+CREATE TABLE IF NOT EXISTS Credentials_FK (
+    "CredentialID" NVARCHAR(36) PRIMARY KEY NOT NULL,
+    "UserID" NVARCHAR(36) NOT NULL,
+    "Description" NVARCHAR NULL,
+    "Url" NVARCHAR NULL,
+    "Username" NVARCHAR NULL,
+    "Password" NVARCHAR NULL,
+    "Notes" NVARCHAR NULL,
+    "UserDefined1" NVARCHAR NULL,
+    "UserDefined1Label" NVARCHAR NULL,
+    "UserDefined2" NVARCHAR NULL,
+    "UserDefined2Label" NVARCHAR NULL,
+    "PwdOptions" NVARCHAR NULL,
+    FOREIGN KEY ("UserID") REFERENCES Users ("UserID")
+);
+
+INSERT INTO Credentials_FK SELECT * FROM Credentials;
+
+DROP TABLE Credentials;
+
+ALTER TABLE Credentials_FK RENAME TO Credentials;
+
+COMMIT;
diff --git a/db/releases/sqlite/004 Tags.sql b/db/releases/sqlite/004 Tags.sql
new file mode 100644
index 00000000..a719df9e
--- /dev/null
+++ b/db/releases/sqlite/004 Tags.sql	
@@ -0,0 +1,18 @@
+BEGIN;
+
+CREATE TABLE IF NOT EXISTS Tags (
+    "TagID" NVARCHAR(36) PRIMARY KEY NOT NULL,
+    "UserID" NVARCHAR(36) NOT NULL,
+    "Label" NVARCHAR(64) NOT NULL,
+    FOREIGN KEY ("UserID") REFERENCES Users ("UserID")
+);
+
+CREATE TABLE IF NOT EXISTS Tags_Credentials (
+    "TagID" NVARCHAR(36) NOT NULL,
+    "CredentialID" NVARCHAR(36) NOT NULL,
+    PRIMARY KEY ("TagID", "CredentialID"),
+    FOREIGN KEY ("TagID") REFERENCES Tags ("TagID"),
+    FOREIGN KEY ("CredentialID") REFERENCES Credentials ("CredentialID")
+);
+
+COMMIT;
diff --git a/db/sql_server_schema.sql b/db/sql_server_schema.sql
index 06eb9b5c..838b2bfc 100644
--- a/db/sql_server_schema.sql
+++ b/db/sql_server_schema.sql
@@ -1,15 +1,16 @@
-USE master
-GO
-
-IF NOT EXISTS (SELECT * FROM sys.databases WHERE name = 'Vault')
+IF NOT EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'Users') AND type in (N'U'))
 BEGIN
-    CREATE DATABASE Vault
+    CREATE TABLE Users (
+        UserID NVARCHAR(36) NOT NULL,
+        Username NVARCHAR(max) NOT NULL,
+        Password NVARCHAR(max) NOT NULL,
+        CONSTRAINT PK_tUser PRIMARY KEY CLUSTERED (
+            UserID ASC
+        )
+    )
 END
 GO
 
-USE Vault
-GO
-
 IF NOT EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'Credentials') AND type in (N'U'))
 BEGIN
     CREATE TABLE Credentials (
@@ -27,21 +28,38 @@ BEGIN
         PwdOptions NVARCHAR(max) NULL,
         CONSTRAINT PK_tCredential PRIMARY KEY CLUSTERED (
             CredentialID ASC
-        )
+        ),
+        CONSTRAINT FK_tCredential_tUser FOREIGN KEY (UserID) REFERENCES Users (UserID)
     )
 END
 GO
 
-IF NOT EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'Users') AND type in (N'U'))
+
+IF NOT EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'Tags') AND type in (N'U'))
 BEGIN
-    CREATE TABLE Users (
+    CREATE TABLE Tags (
+        TagID NVARCHAR(36) NOT NULL,
         UserID NVARCHAR(36) NOT NULL,
-        Username NVARCHAR(max) NOT NULL,
-        Password NVARCHAR(max) NOT NULL,
-        CONSTRAINT PK_tUser PRIMARY KEY CLUSTERED (
-            UserID ASC
-        )
+        Label NVARCHAR(64) NOT NULL,
+        CONSTRAINT PK_tTag PRIMARY KEY CLUSTERED (
+            TagID ASC
+        ),
+        CONSTRAINT FK_tTag_tUser FOREIGN KEY (UserID) REFERENCES Users (UserID)
     )
 END
 GO
 
+IF NOT EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'Tags_Credentials') AND type in (N'U'))
+BEGIN
+    CREATE TABLE Tags_Credentials (
+        TagID NVARCHAR(36) NOT NULL,
+        CredentialID NVARCHAR(36) NOT NULL,
+        CONSTRAINT PK_tTag_Credential PRIMARY KEY CLUSTERED (
+            TagID ASC,
+            CredentialID ASC
+        ),
+        CONSTRAINT FK_tTag_Credential_tTag FOREIGN KEY (TagID) REFERENCES Tags (TagID),
+        CONSTRAINT FK_tTag_Credential_tCredential FOREIGN KEY (CredentialID) REFERENCES Credentials (CredentialID)
+    )
+END
+GO
diff --git a/db/sqlite_schema.sql b/db/sqlite_schema.sql
index 895ad9ba..f4bb8d51 100644
--- a/db/sqlite_schema.sql
+++ b/db/sqlite_schema.sql
@@ -1,3 +1,9 @@
+CREATE TABLE IF NOT EXISTS Users (
+    "UserID" NVARCHAR(36) PRIMARY KEY NOT NULL,
+    "Username" NVARCHAR NOT NULL,
+    "Password" NVARCHAR NOT NULL
+);
+
 CREATE TABLE IF NOT EXISTS Credentials (
     "CredentialID" NVARCHAR(36) PRIMARY KEY NOT NULL,
     "UserID" NVARCHAR(36) NOT NULL,
@@ -10,12 +16,21 @@ CREATE TABLE IF NOT EXISTS Credentials (
     "UserDefined1Label" NVARCHAR NULL,
     "UserDefined2" NVARCHAR NULL,
     "UserDefined2Label" NVARCHAR NULL,
-    "PwdOptions" NVARCHAR NULL
+    "PwdOptions" NVARCHAR NULL,
+    FOREIGN KEY ("UserID") REFERENCES Users ("UserID")
 );
 
-CREATE TABLE IF NOT EXISTS Users (
-    "UserID" NVARCHAR(36) PRIMARY KEY NOT NULL,
-    "Username" NVARCHAR NOT NULL,
-    "Password" NVARCHAR NOT NULL
+CREATE TABLE IF NOT EXISTS Tags (
+    "TagID" NVARCHAR(36) PRIMARY KEY NOT NULL,
+    "UserID" NVARCHAR(36) NOT NULL,
+    "Label" NVARCHAR(64) NOT NULL,
+    FOREIGN KEY ("UserID") REFERENCES Users ("UserID")
 );
 
+CREATE TABLE IF NOT EXISTS Tags_Credentials (
+    "TagID" NVARCHAR(36) NOT NULL,
+    "CredentialID" NVARCHAR(36) NOT NULL,
+    PRIMARY KEY ("TagID", "CredentialID"),
+    FOREIGN KEY ("TagID") REFERENCES Tags ("TagID"),
+    FOREIGN KEY ("CredentialID") REFERENCES Credentials ("CredentialID")
+);
diff --git a/tools/Tag Insert Generator.linq b/tools/Tag Insert Generator.linq
new file mode 100644
index 00000000..82bc0444
--- /dev/null
+++ b/tools/Tag Insert Generator.linq	
@@ -0,0 +1,22 @@
+<Query Kind="Program">
+  <RuntimeVersion>8.0</RuntimeVersion>
+</Query>
+
+void Main()
+{
+	var tags = new[] {
+		"tag1",
+		"tag2",
+	};
+	
+	var userID = "REPLACE-WITH-USER-GUID";
+	
+	var sql = $"""
+		INSERT INTO Tags 
+			(TagID, UserID, Label) 
+		VALUES 
+			{string.Join("," + Environment.NewLine, tags.Select(t => $"('{Guid.NewGuid()}', '{userID}', '{t}')"))}
+		""";
+	
+	sql.Dump();
+}