Skip to main content
Each agent has an encrypted key-value vault for storing sensitive credentials such as card numbers, tokens, and passwords. You interact with the vault through three MCP tools: initialize_vault, save_secret_to_vault, and get_secret_from_vault.

Initialize

You must call initialize_vault before you can read from or write to an agent’s vault. Each agent can only be initialized once. 
{
  "agentId": "agent-abc123",
  "intent": {
    "message": "Setting up vault for new agent",
    "subject": "VAULT",
    "action": "CREATE"
  }
}

Save a secret

Call save_secret_to_vault to write a key-value pair to the vault. The value is encrypted at rest. 
{
  "agentId": "agent-abc123",
  "secretKey": "card_pan",
  "secretValue": "4111111111111111",
  "intent": {
    "message": "Storing card PAN after identity creation",
    "subject": "VAULT",
    "action": "CREATE"
  }
}
Use consistent, descriptive key names like card_pan, card_cvv, card_exp_month so your agent can reliably look up credentials.

Retrieve a secret

Call get_secret_from_vault with the key you previously saved. The tool returns {"secret": "..."}. 
{
  "agentId": "agent-abc123",
  "secretKey": "card_pan",
  "intent": {
    "message": "Reading card PAN to make a purchase",
    "subject": "VAULT",
    "action": "READ"
  }
}
Every vault read and write is recorded as an intent log entry. The intent field you pass is stored alongside the operation, giving you a full audit trail of why each secret was accessed or modified.