Skip to main content

Documentation Index

Fetch the complete documentation index at: https://agent-vault-roles-unified-instance-tier.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

A Vault is a secure logical container for credentials with services that define how agents can proxy requests through it. Each vault contains:
  • Credentials: API keys, database credentials, and other sensitive material that cannot be extracted from the vault.
  • Services: Definitions of which hosts (e.g. api.stripe.com) can be accessed through the vault along with which and how credential(s) must be attached onto each proxy request.
  • Members: Users and agents that can access the vault under specific roles (admin, member, proxy).
  • Proposals: Requests from agents to set credential(s) and/or add service(s) that use those credentials.
Note that a default vault is created automatically for the first user of Agent Vault (called the instance owner).

Create a vault

agent-vault vault create my-vault
agent-vault vault list
Vault names must be unique across the Agent Vault instance and use slug format: lowercase letters, numbers, and hyphens only.

Bind a project to a vault

Run vault init inside your project directory to create an agent-vault.json file that binds the project to a specific vault: 
agent-vault vault init
This file is meant to be committed to version control. When present, all team members and agents running in that directory will automatically target the bound vault without needing --vault flags or per-user context. Vault resolution priority: --vault flag > AGENT_VAULT_VAULT env var > agent-vault.json > user context > "default".

Invite agents to a vault

For any agent you can paste a prompt into (cloud-hosted, chat-based, CI pipelines, or always-on assistants).
1

Create the invite

agent-vault agent invite my-agent --vault my-vault:proxy
Outputs a prompt with the invite URL and usage instructions. Copied to your clipboard automatically. The --vault flag pre-assigns vault access (format: name:role).
2

Paste into the agent's chat

The agent redeems the invite automatically and receives an agent token.

Invite users to a vault

1

Send the invite

agent-vault user invite alice@example.com --vault my-vault:admin
If SMTP is configured, the invitee receives an HTML email with a browser acceptance link. The invite link is also printed to CLI output.
2

Invitee accepts

The invitee clicks the link and lands on a browser acceptance page.
  • New users set their password on acceptance and their account is created automatically.
  • Existing users get the vault grant applied immediately.
3

Verify membership

agent-vault vault user list --vault my-vault

Manage members and agents

Vault scope (who can touch this vault) is managed here. Effective power inside the vault comes from each actor’s instance role — see Permissions. To change someone’s role, use agent-vault owner user set-role or agent-vault agent set-role instead. 
# List vault members
agent-vault vault user list --vault my-vault

# Grant a user access to the vault
agent-vault vault user add alice@example.com --vault my-vault

# Remove a member
agent-vault vault user remove alice@example.com --vault my-vault

# List agents in a vault
agent-vault vault agent list --vault my-vault

# View agent details (instance-level)
agent-vault agent info my-agent

# Rotate an agent's session (instance-level)
agent-vault agent rotate my-agent

# Rename an agent (instance-level)
agent-vault agent rename my-agent new-name

# Remove an agent from this vault
agent-vault vault agent remove my-agent

Delete a vault

Vault admins can delete the vaults they manage. Instance owners can also delete any vault. 
agent-vault vault delete my-vault
The default vault cannot be deleted. Use --yes to skip the confirmation prompt.
Deleting a vault permanently removes all its services, credentials, agents, and proposals. This cannot be undone.

Owner-level vault management

Instance owners auto-access every vault on the instance — they can manage credentials, approve proposals, and configure services in any vault without an explicit grant. 
# List ALL vaults (owner only)
agent-vault owner vault list

# Delete a vault (owner only)
agent-vault owner vault delete my-vault
If a user is deleted and their vaults become orphaned (no remaining members), an instance owner still has full access. User deletion only removes the user and their vault grants — vaults and their data stay intact.