Vault serves both populations from one store. Humans manage credentials through a clean UI. Agents request them through MCP with scoped, time-bound leases. Credentials live in sandboxed tool execution, not in LLM context windows, and every access is attributed to a specific agent run or human session.
Waitlist opens with launch. Check back when the page flips to Available.
Plain string credentials with per-agent scope. Rotation windows, last-used timestamps, revocation one action deep.
OAuth 2.1 access + refresh pairs with auto-refresh. Provider catalog covers the integrations the suite uses; external providers are config.
Public/private pairs stored encrypted. Ed25519 by default; RSA when a host still requires it.
Cert + key + chain together. Expiry surfaced on the dashboard; no surprises during a deploy.
Connection strings with driver awareness. Treated as single credentials so the whole string rotates together.
Anything that is a string and should never sit in an env file. Same encryption envelope, same audit discipline.
Password managers built only for humans do not answer the questions an AI agent asks. Vaults built only for apps do not give humans a dashboard. Vault serves both. The agent side is scoped leases over MCP. The human side is a clean UI for the same credentials.
Vault exposes an MCP server following the 2025-06-18 spec. Claude Code, Cursor, Windsurf, or any Cortex agent can list scoped credentials and request them with a signed justification.
Requests return leases bound to the agent run id. Default TTL is 5 to 10 minutes, configurable per credential. Lease expiry revokes access without requiring the agent to clean up.
Every access records which agent type, which user, which run, what justification. The audit log is append-only and survives tenant deletion so incident response has history to read.
Credentials are delivered into a sandboxed tool execution environment. They never enter the LLM's context window. Prompt-injection cannot exfiltrate what the prompt never saw.
Scope credentials to specific agent types, not just users. A scoring agent that never needs production DB creds never gets asked about them.
A Chrome and Firefox extension brings Vault into the place humans spend most of their day: browser tabs that ask for a username and a password. Same encryption, same audit chain, same RBAC. No long-lived plaintext cache; each fill is a fresh server-side lease consumed in one round-trip.
A Manifest V3 extension for both browsers auto-fills usernames and passwords on the sites you log in to every day. Sign in once via identity OAuth in a popup; the extension reads stored `login` credentials over the same REST API your CLI uses.
Match is scheme-strict (HTTPS only by default), Punycode-normalized to defeat homograph attacks, and port-aware. Subdomain match is opt-in per credential. The fill button only appears when the URL passes every check.
Every fill issues a fresh 30-second server-side lease, single-use. The plaintext lives in the extension service worker for one round-trip and is overwritten immediately after the form is populated. No encrypted-on-disk cache.
Each fill writes lease.issued, lease.consumed, lease.read to the tamper-evident audit chain with the user attribution and a session correlation id. Indistinguishable from a CLI reveal or a manual web-ui copy.
| capability | Vault | 1Password | Bitwarden | Doppler | HashiCorp Vault |
|---|---|---|---|---|---|
| MCP server for agent access | Yes | No | No | No | No |
| Credential leasing with TTL | Yes | No | No | No | Yes |
| Per-agent-type policy scope | Yes | No | No | No | No |
| Personal + team credentials | Yes | Yes | Yes | No | No |
| Runtime secret injection | Yes | No | No | Yes | Yes |
| Target user | Developers with AI agents | Humans | Humans | Apps at runtime | Enterprise infra |
Each credential is sealed with a per-credential data encryption key (DEK). DEKs are wrapped by a per-tenant key encryption key (KEK). Compromise of storage media alone is not enough to read a credential.
KEK lives in AWS KMS or GCP KMS by default. Enterprise tenants can bring a customer-managed HSM. Rotation is a KMS operation; envelope decryption continues through a rotation without downtime.
Every access, lease, grant, and revoke event writes to an audit log that outlasts tenant deletion. Operators and compliance reviewers read the same log; there is no cleaner view that redacts entries.
Stored ciphertexts include an integrity tag verified on every read. Silent corruption is detected rather than returned. A read that fails integrity fails loud.
Postgres row-level security policies, branded TenantId types at the application layer, and a tenant-scoped repository decorator. Defense in depth, not a single choke point.
Every Vault session is an OAuth 2.1 session issued by Identity. Cross-sibling single sign-on with rotating JWTs and a refresh mechanism.
