Skip to main content
GhostStack
Menu
Navigation

overview

Getting Started with Vault

What is Vault?

Vault is a credential management system built for the AI coding era. Traditional password managers were designed for humans clicking through browser extensions. Vault is designed for both human developers and AI agents that need programmatic access to secrets during code generation, deployment, and infrastructure automation.

Every credential stored in Vault is encrypted with AES-256-GCM using a tenant-scoped key hierarchy. Every access is attributed to a specific identity, whether that identity is a developer on your team or an AI agent running in Claude Code. Credentials are leased with time-to-live (TTL) values rather than checked out permanently, so your attack surface shrinks automatically as leases expire.

Why Vault exists

AI coding tools need credentials. They need API keys to call services, database URLs to run migrations, SSH keys to deploy code. The standard workflow today is pasting secrets into environment variables or .env files and hoping the agent does not log them, commit them, or hold onto them longer than necessary.

Vault replaces that workflow with a structured protocol. Agents request credentials through the MCP server or TypeScript SDK, receive a time-limited lease, and Vault records exactly which agent accessed which credential and when. When the lease expires, the credential is no longer available to that agent.

Install the SDK

npm install @ghoststack/vault-sdk

Or if you prefer to start with the MCP server for Claude Code integration:

npx @ghoststack/vault-mcp init

Store your first credential

import { Vault } from '@ghoststack/vault-sdk';

const vault = await Vault.connect({
  tenant: 'my-org',
  token: process.env.VAULT_TOKEN,
});

await vault.credentials.create({
  name: 'stripe-api-key',
  type: 'api-key',
  value: 'sk_live_...',
  metadata: {
    service: 'stripe',
    environment: 'production',
  },
});

Issue a lease

const lease = await vault.leases.create({
  credentialName: 'stripe-api-key',
  ttl: '15m',
  identity: { type: 'agent', name: 'claude-code' },
});

console.log(lease.value); // sk_live_...
console.log(lease.expiresAt); // 15 minutes from now

When the lease expires, any subsequent attempt to read the credential through that lease will fail. The agent must request a new lease, and that request will be logged in the audit log.

Next steps