diff --git a/cmd/signer/main.go b/cmd/signer/main.go
index a11b6d61916e33776261c703e8bc5b41e1002e6a..d93f8675d181af5c26a0a356c8214e675bdffc4c 100644
--- a/cmd/signer/main.go
+++ b/cmd/signer/main.go
@@ -50,9 +50,9 @@ func main() {
 
 	httpClient := httpClient()
 
-	vault, err := vault.New(cfg.Vault.Addr, cfg.Vault.Token, httpClient)
+	vault, err := vault.New(cfg.Vault.Addr, cfg.Vault.Token, true, httpClient)
 	if err != nil {
-		logger.Fatal("cannot create vault client", zap.Error(err))
+		logger.Fatal("cannot initialize vault client", zap.Error(err))
 	}
 
 	// create services
diff --git a/go.mod b/go.mod
index 56aa155f8ac5fa448f63937f89a10fab57082140..0fe2cd0208b073ab70019b70b46be5be831e0bd9 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module code.vereign.com/gaiax/tsa/signer
 go 1.17
 
 require (
-	code.vereign.com/gaiax/tsa/golib v0.0.0-20220603082703-12e9e3c06615
+	code.vereign.com/gaiax/tsa/golib v0.0.0-20220615064316-ca49265d8b0e
 	github.com/hashicorp/vault/api v1.0.4
 	github.com/hyperledger/aries-framework-go v0.1.8
 	github.com/kelseyhightower/envconfig v1.4.0
diff --git a/go.sum b/go.sum
index 35cdc92426c978863bff37e85ff79c11cd31f230..f98bc6a0ea0775687210eff1e0f6405758eb3678 100644
--- a/go.sum
+++ b/go.sum
@@ -32,6 +32,8 @@ cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RX
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 code.vereign.com/gaiax/tsa/golib v0.0.0-20220603082703-12e9e3c06615 h1:EdWAZfrfEzWiIo0iMkCcs4bPTW7gItLLgJSU5I143vI=
 code.vereign.com/gaiax/tsa/golib v0.0.0-20220603082703-12e9e3c06615/go.mod h1:bDorhOdL8/uRy56rvdBLWiRiOKlDjC5tQvpS5eN6wzo=
+code.vereign.com/gaiax/tsa/golib v0.0.0-20220615064316-ca49265d8b0e h1:Tf+6cXb+hh/EsoNLyeGJ/T+hhJMn8Hdbo43cVkeAQZ4=
+code.vereign.com/gaiax/tsa/golib v0.0.0-20220615064316-ca49265d8b0e/go.mod h1:bDorhOdL8/uRy56rvdBLWiRiOKlDjC5tQvpS5eN6wzo=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
diff --git a/internal/clients/vault/client.go b/internal/clients/vault/client.go
index c5d8b46a69e03e9396c1e87c9a51a8c090142199..d5e199372cbb10d8a5091175a826c946c16b2e6b 100644
--- a/internal/clients/vault/client.go
+++ b/internal/clients/vault/client.go
@@ -24,7 +24,7 @@ type Client struct {
 }
 
 // New creates a Hashicorp Vault client.
-func New(addr string, token string, httpClient *http.Client) (*Client, error) {
+func New(addr string, token string, probe bool, httpClient *http.Client) (*Client, error) {
 	cfg := vaultpkg.DefaultConfig()
 	cfg.Address = addr
 	cfg.HttpClient = httpClient
@@ -35,6 +35,15 @@ func New(addr string, token string, httpClient *http.Client) (*Client, error) {
 
 	client.SetToken(token)
 
+	// If probe is set, the client will try to query the vault to check if
+	// it's unsealed and ready for operation. This is used mostly so unit tests
+	// can bypass the check as they don't work against a real Vault.
+	if probe {
+		if _, err = client.Sys().Capabilities(token, pathSign); err != nil {
+			return nil, err
+		}
+	}
+
 	return &Client{cfg: cfg, client: client}, nil
 }
 
diff --git a/internal/clients/vault/client_test.go b/internal/clients/vault/client_test.go
index a68d75407c0202f2b4b5be40188dd0e8984126b2..66258b01eaa6589094ecec26cf9b56358f5a8919 100644
--- a/internal/clients/vault/client_test.go
+++ b/internal/clients/vault/client_test.go
@@ -65,7 +65,7 @@ func TestClient_Key(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			vaultsrv := httptest.NewServer(test.handler)
-			client, err := vault.New(vaultsrv.URL, "token", http.DefaultClient)
+			client, err := vault.New(vaultsrv.URL, "token", false, http.DefaultClient)
 			assert.NoError(t, err)
 
 			res, err := client.Key(test.key)
@@ -90,7 +90,7 @@ func TestClient_WithKey(t *testing.T) {
 		w.WriteHeader(http.StatusNotFound)
 	}))
 
-	c1, err := vault.New(vaultsrv.URL, "token", http.DefaultClient)
+	c1, err := vault.New(vaultsrv.URL, "token", false, http.DefaultClient)
 	assert.NoError(t, err)
 
 	c2 := c1.WithKey("mytest-key123")
@@ -147,7 +147,7 @@ func TestClient_Sign(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			vaultsrv := httptest.NewServer(test.handler)
-			client, err := vault.New(vaultsrv.URL, "token", http.DefaultClient)
+			client, err := vault.New(vaultsrv.URL, "token", false, http.DefaultClient)
 			assert.NoError(t, err)
 
 			res, err := client.Sign(test.data)
diff --git a/vendor/code.vereign.com/gaiax/tsa/golib/errors/errors.go b/vendor/code.vereign.com/gaiax/tsa/golib/errors/errors.go
index 9bd1d17dd4269461f54ec5024a6a8ca0f0edb4ac..8c3afe9ce39b4e2cdc4b73b91862503df1b5df9e 100644
Binary files a/vendor/code.vereign.com/gaiax/tsa/golib/errors/errors.go and b/vendor/code.vereign.com/gaiax/tsa/golib/errors/errors.go differ
diff --git a/vendor/modules.txt b/vendor/modules.txt
index f2d535f0ab2c3d48dc3e1cf15f48c9750938e801..3aaa68b1ca7130528eaf00dba6c04724a3594316 100644
Binary files a/vendor/modules.txt and b/vendor/modules.txt differ