The basic concept is that the vault will hand out a secret to an app based on some other form of identification. Let’s say the app platform can assert that App A is allowed to use Secret S. then the vault will hand it out. This turns “something you are” into “something you have”
