The Security Layer for Autonomous Agents.

Give your agent scoped, auditable access to the tools it needs to work. Credentials, capability tokens, and session management — deployed on your own infrastructure.

Join the waitlist See what's inside

Request

curl -X POST https://vault.yourdomain.com/api/capabilities \
  -H "X-API-Key: vault_live_4f2a9c7b3d8e1a..." \
  -H "Content-Type: application/json" \
  -d '{
    "credential": "hubspot_production",
    "scopes": ["contacts.read", "contacts.write"],
    "ttl_minutes": 30,
    "mode": "proxy"
  }'

import requests
response = requests.post(
    "https://vault.yourdomain.com/api/capabilities",
    headers={"X-API-Key": "vault_live_4f2a9c7b3d8e1a..."},
    json={
        "credential": "hubspot_production",
        "scopes": ["contacts.read", "contacts.write"],
        "ttl_minutes": 30,
        "mode": "proxy"
    }
)
print(response.json())

const res = await fetch("https://vault.yourdomain.com/api/capabilities", {
  method: "POST",
  headers: {
    "X-API-Key": "vault_live_4f2a9c7b3d8e1a...",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    credential: "hubspot_production",
    scopes: ["contacts.read", "contacts.write"],
    ttl_minutes: 30,
    mode: "proxy",
  }),
});

const data = await res.json();

$response = Http::withHeaders([
    'X-API-Key' => 'vault_live_4f2a9c7b3d8e1a...',
])->post('https://vault.yourdomain.com/api/capabilities', [
    'credential'  => 'hubspot_production',
    'scopes'      => ['contacts.read', 'contacts.write'],
    'ttl_minutes' => 30,
    'mode'        => 'proxy',
]);
$data = $response->json();

body := strings.NewReader(`{
  "credential": "hubspot_production",
  "scopes": ["contacts.read", "contacts.write"],
  "ttl_minutes": 30,
  "mode": "proxy"
}`)
req, _ := http.NewRequest("POST",
  "https://vault.yourdomain.com/api/capabilities", body)
req.Header.Set("X-API-Key", "vault_live_4f2a9c7b3d8e1a...")
req.Header.Set("Content-Type", "application/json")

resp, _ := http.DefaultClient.Do(req)

Response 200 OK

{
  "success": true,
  "capability_id": "cap_7f2a9c8b3d4e1a5f",
  "token": "vc_live_xKj2...redacted",
  "mode": "proxy",
  "allowed_scopes": [
    "contacts.read",
    "contacts.write"
  ],
  "expires_at": "2026-04-19T18:15:00Z"
}

Capabilities

Total control over agent agency.

Vault handles the full identity lifecycle — credential storage, capability issuance, session management, and audit logging — so your agent can focus on the work, not the login.

🔐

Hardened Storage

Encrypted store for OAuth tokens, API keys, passwords, session cookies, and SSH keys. Bring your own KMS or use a local keyring for dev. Rotation hooks built in.

🎟️

Time-bound Authority

Short-lived, scoped tokens issued per request. The agent never holds the raw credential — just a token that says what it can do and for how long.

🔀

Two redemption modes

Proxy mode keeps credentials inside Vault and makes calls on the agent's behalf. Vend mode hands the agent a short-lived scoped credential. Pick per credential, or let policy decide.

🌐

Session management

For systems without APIs. Vault logs in, keeps the session warm, and hands your agent a session handle for its browser tool. Re-authenticates transparently when sessions die.

📜

Forensic-level Auditing

Every credential access, every capability issued, every downstream call — logged, queryable, exportable. Pass a security review and debug your agent in the same place.

⚖️

Policy engine

Rules that govern what gets issued and how. Auto-approve low-risk reads, require human approval for production writes, restrict by time of day or scope.

🔒

Team-scoped isolation

Credentials, policies, and audit logs are per-team. One install, many agents or clients, full isolation. Same multi-tenancy model as Beacon.

🔁

OAuth flow orchestration

Bring your own OAuth apps — HubSpot, Google, Microsoft, Salesforce. Vault handles the flow, stores the tokens, refreshes transparently. You own the app and the relationship.

🧩

Extensible Architecture

Provider system for new integrations without touching core. First-party support for the common stack. Community providers for everything else.

Modes

Two modes. Pick the right one per credential.

Not every credential should be proxied. Not every credential should be vended. Vault supports both, with policy governing which is used when.

Default

Proxy mode

The agent calls Vault with a capability token. Vault makes the downstream call with the real credential and returns the result.

✓ Credential never leaves Vault
✓ Every call logged in-band
✓ Ideal for OAuth, API keys, webhooks

Escape hatch

Vend mode

The agent calls Vault with a capability token. Vault returns a short-lived, scoped credential. The agent makes the downstream call directly.

✓ For cases where proxy can't work
✓ Still scoped, still revocable, still audited
✓ Ideal for browser sessions, SSH, batch jobs

Credential type	Default mode	Why
OAuth tokens	Proxy	Short scope, high frequency
API keys	Proxy	Easy to proxy, easy to rotate
Browser sessions	Vend	Can't meaningfully proxy a session handle
SSH keys	Vend	Protocol-level, proxy doesn't help
Database credentials	Either	Proxy for app code, vend for migrations

Agent integration

Native Intelligence. MCP Included

Enable your agents to self-serve. With built-in Model Context Protocol support, agents can discover their own boundaries, request higher-level access, and execute tasks without you writing a single line of integration code.

list_credentials

Discover what the agent can potentially access

request_capability

Ask for a scoped, time-boxed capability

redeem_capability

Proxy mode: make a call through Vault

get_credential

Vend mode: retrieve a scoped credential

get_session_handle

Retrieve an active browser session

revoke_capability

Cancel a capability early

query_audit_log

Inspect what the agent has done

list_allowed_scopes

Check what scopes a credential supports

request_human_approval

Escalate high-risk capability requests

check_policy

Preview whether a request would be approved

10 MCP tools, 4 resources, and 3 built-in prompts.

Setup

Running in minutes

Vault is a Laravel app you deploy on your own server. Bring your OAuth apps and you're live.

Claim your license

~1 min

Check out, our license portal opens with a signed vault.license file plus ready-to-paste install commands for Docker or Composer.

Deploy to your infra

~2 min

Pull ghcr.io/xsavo/vault with the creds from your portal, or composer create-project xsavo/vault via our private registry. Drop vault.license into storage/app/. Nginx, PHP-FPM, Redis, and Horizon boot together.

docker pull ghcr.io/xsavo/vault:latest
docker run --env-file .env \
  -v ./storage:/var/www/html/storage \
  ghcr.io/xsavo/vault:latest

Composer alternative and credentials in your license portal.

Connect a provider

~2 min

Visit /setup, pick a provider, paste your OAuth client ID and secret (or API key). Vault validates against the provider and stores the encrypted credential.

Activate your agent

~1 min

Generate an API key from the setup dashboard. Wire your agent to the REST API or connect the MCP server to Claude Code in one command.

claude mcp add vault https://your-vault.com/api/mcp \
  --transport http --scope user \
  --header "X-API-Key: vault_…"

Early access

Vault is in development.

Beacon users get priority access and a discount at launch. Join the waitlist to get early builds, shape the roadmap, and lock in launch pricing.

Pricing

One product, your terms

Run it yourself, let us run it, or get the source. Same Vault — different delivery model.

Coming soon

Self-Hosted

Deploy Vault on your own infrastructure. Bring your own providers.

Pricing at launch

Beacon users get a launch discount.

✓ Full Vault + MCP server
✓ Docker deployment
✓ Credentials, capabilities, sessions, policies
✓ Team-scoped multi-tenancy
✓ Bring your own providers
✓ Updates for 1 year

Join the waitlist

Managed SaaS

We host Vault and handle infrastructure, you configure policies and providers.

Usage-based

Pricing announced at launch.

✓ Everything in Self-Hosted
✓ Managed hosting
✓ Dashboard & analytics
✓ Usage metering & billing
✓ Zero infrastructure setup

Join the waitlist

Repo Access

Full source code for white-label, custom builds, or internal compliance.

Custom terms

Premium license.

✓ Everything in Self-Hosted
✓ Full Laravel source code
✓ White-label & Internal modification rights
✓ Priority support
✓ Custom licensing terms

Get in touch

Ship soon

Give your agent a passport, not your password.

Secure your spot in the agent-led economy. Join the waitlist for early access and priority deployment.

Join the waitlist