### Install OpenClaw using the official script Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/openclaw-on-vps.mdx Download and execute the OpenClaw installation script. This will install OpenClaw and launch its interactive setup wizard. ```bash curl -fsSL https://openclaw.ai/install.sh | bash ``` -------------------------------- ### Run Daytona Agent Vault OpenAI Example Source: https://github.com/infisical/agent-vault/blob/main/examples/daytona-openai-realtime/README.md Steps to set up and run the example. Requires API keys and dependencies to be installed. ```bash cp .env.example .env # fill DAYTONA_API_KEY and OPENAI_API_KEY npm install npm start ``` -------------------------------- ### Install Hermes on VPS Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/hermes-on-vps.mdx Installs the Hermes application on the VPS using an official installation script. This script also launches an interactive setup wizard. ```bash curl -fsSL https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.sh | bash ``` -------------------------------- ### Launch Hermes Gateway Setup Wizard Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/hermes-on-vps.mdx Use this command to start the interactive wizard for configuring the Hermes gateway. Ensure you are running this within the agent-vault context. ```bash agent-vault run -- hermes gateway setup ``` -------------------------------- ### Install Agent Vault using Script Source: https://github.com/infisical/agent-vault/blob/main/docs/installation.mdx Automatically detects your OS and architecture, downloads the latest release, and installs Agent Vault. Use this for a quick and easy setup. ```bash export AGENT_VAULT_ADDR="http://:14321" agent-vault server ``` -------------------------------- ### Configure Sandbox with Transparent Proxy Source: https://github.com/infisical/agent-vault/blob/main/sdks/sdk-typescript/README.md Quickstart example for configuring a sandbox with a transparent proxy using the Agent Vault SDK. This involves creating an AgentVault instance, minting a scoped session, and building environment variables for proxy configuration. ```typescript import { AgentVault, buildProxyEnv } from "@infisical/agent-vault-sdk"; const av = new AgentVault({ token: "YOUR_AGENT_TOKEN", address: "http://localhost:14321", }); const vault = av.vault("my-project"); // Mint a scoped session — returns the token + container config in one call const session = await vault.sessions!.create({ ttlSeconds: 3600 }); // Build the full env var set with your chosen CA cert mount path const certPath = "/etc/ssl/agent-vault-ca.pem"; const env = buildProxyEnv(session.containerConfig!, certPath); // Pass to your container runtime — the agent inside just calls // fetch("https://api.stripe.com/v1/charges") normally. // Agent Vault intercepts, injects credentials, and forwards. ``` -------------------------------- ### Example Output of Current Instance Settings Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/instance-settings.mdx This is an example of the output you can expect when retrieving current instance settings. ```text invite_only: disabled allowed_email_domains: acme.com, acme.org ``` -------------------------------- ### Discover Services Response Example Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/connect-custom-agent.mdx Example JSON response from the `/discover` endpoint, showing configured services and available credential key names. ```json { "vault": "default", "services": [ { "name": "stripe", "host": "api.stripe.com" }, { "name": "github", "host": "api.github.com" } ], "available_credentials": ["STRIPE_KEY", "GITHUB_TOKEN"] } ``` -------------------------------- ### Set Up Agent Vault Programmatically Source: https://github.com/infisical/agent-vault/blob/main/sdks/sdk-typescript/README.md Programmatic setup of an Agent Vault, including creating a vault, storing credentials, and configuring proxy rules for services. This example demonstrates setting bearer token authentication for Stripe and Slack. ```typescript import { AgentVault } from "@infisical/agent-vault-sdk"; const av = new AgentVault({ token: "YOUR_AGENT_TOKEN", address: "http://localhost:14321", }); // Create a vault and get a scoped client await av.createVault({ name: "my-project" }); const vault = av.vault("my-project"); // Store credentials await vault.credentials.set({ STRIPE_KEY: "sk_live_abc", SLACK_BOT_TOKEN: "xoxb- மரு", SLACK_CONNECTION_TOKEN: "xapp- மரு", }); // Configure proxy rules — the token field references a credential key above. // Slack needs two credentials at different paths on the same host, so we // embed the path glob in `host` (inline form) and give each rule a distinct // `name` slug. await vault.services!.set([ { name: "stripe", host: "api.stripe.com", auth: { type: "bearer", token: "STRIPE_KEY" }, }, { name: "slack-bot", host: "slack.com/api/*", auth: { type: "bearer", token: "SLACK_BOT_TOKEN" }, }, { name: "slack-conn", host: "slack.com/api/apps.connections.*", ``` ```typescript auth: { type: "bearer", token: "SLACK_CONNECTION_TOKEN" }, }, ]); // Remove a path-scoped service unambiguously by name: await vault.services!.removeByName("slack-conn"); ``` -------------------------------- ### Start the agent-vault server Source: https://github.com/infisical/agent-vault/blob/main/docs/learn/permissions.mdx Use this command to start the agent-vault server. This is the first step in setting up your Infisical instance. ```bash agent-vault server ``` -------------------------------- ### Daytona Example for Proxy Configuration Source: https://github.com/infisical/agent-vault/blob/main/sdks/sdk-typescript/README.md Example showing how to integrate Agent Vault's proxy configuration with Daytona for running agent sandboxes. It demonstrates creating a Daytona instance, setting environment variables, and mounting the CA certificate. ```typescript import { Daytona } from "@daytonaio/sdk"; const daytona = new Daytona(); const certPath = "/etc/ssl/agent-vault-ca.pem"; const env = buildProxyEnv(session.containerConfig!, certPath); const workspace = await daytona.create({ image: "my-agent-image", envVars: env, // Mount session.containerConfig.caCertificate at certPath }); ``` -------------------------------- ### Docker Example for Proxy Configuration Source: https://github.com/infisical/agent-vault/blob/main/sdks/sdk-typescript/README.md Example demonstrating how to use the `buildProxyEnv` output to configure a Docker container for transparent proxying with Agent Vault. It includes writing the CA certificate to a temporary file and passing environment variables to the Docker run command. ```typescript import { execSync } from "child_process"; import { writeFileSync } from "fs"; const certPath = "/etc/ssl/agent-vault-ca.pem"; const env = buildProxyEnv(session.containerConfig!, certPath); // Write the CA cert to a temp file for mounting const tmpCert = "/tmp/agent-vault-ca.pem"; writeFileSync(tmpCert, session.containerConfig!.caCertificate); const envFlags = Object.entries(env).map(([k, v]) => `-e ${k}=${v}`).join(" "); execSync(`docker run --rm ${envFlags} -v ${tmpCert}:${certPath}:ro my-agent-image`); ``` -------------------------------- ### Install Agent Vault Source: https://github.com/infisical/agent-vault/blob/main/docs/tutorial.mdx Use this command to install the Agent Vault CLI. ```bash curl -fsSL https://infisical.com/install.sh | sh ``` -------------------------------- ### Run Agent Vault Commands Source: https://github.com/infisical/agent-vault/blob/main/README.md Examples of running the Agent Vault CLI with different AI models. ```bash agent-vault run -- claude ``` ```bash agent-vault vault run -- agent ``` ```bash agent-vault vault run -- codex ``` ```bash agent-vault vault run -- opencode ``` -------------------------------- ### Install Agent Vault CLI via Dockerfile Source: https://github.com/infisical/agent-vault/blob/main/README.md Copy the Agent Vault binary into your Docker image to use the CLI for starting your agent process. ```dockerfile # Add this line to your existing Dockerfile alongside your agent or app setup. COPY --from=infisical/agent-vault:latest /usr/local/bin/agent-vault /usr/local/bin/agent-vault ... ENTRYPOINT ["agent-vault", "run", "--", "claude"] ``` -------------------------------- ### Install Agent Vault TypeScript SDK Source: https://github.com/infisical/agent-vault/blob/main/README.md Install the Agent Vault TypeScript SDK using npm. ```bash npm install @infisical/agent-vault-sdk ``` -------------------------------- ### Install Agent Vault Source: https://github.com/infisical/agent-vault/blob/main/docs/self-hosting/local.mdx Installs Agent Vault by auto-detecting the OS and architecture, downloading the latest release, and setting it up. This works for both new installations and upgrades. ```bash sh <(curl -fsSL https://raw.githubusercontent.com/Infisical/agent-vault/main/install.sh) ``` -------------------------------- ### Verify Access Token Placeholder Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/oauth-claude-code.mdx Check the credentials file on the agent machine to ensure the access token placeholder is still present after initial setup. ```bash cat ~/.claude/.credentials.json # Should show "__PLACEHOLDER__" as the accessToken ``` -------------------------------- ### Make API Requests with Python Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/connect-custom-agent.mdx Demonstrates how to make GET and POST requests to an API using the `requests` library. Authorization is handled by Agent Vault. ```python import requests charges = requests.get( "https://api.stripe.com/v1/charges", params={"limit": 10}, ) print(charges.json()) new_charge = requests.post( "https://api.stripe.com/v1/charges", data={"amount": 2000, "currency": "usd"}, ) print(new_charge.json()) ``` -------------------------------- ### Define Multiple Services with Different Auth Types Source: https://github.com/infisical/agent-vault/blob/main/docs/learn/services.mdx Configure various services with specific hosts, authentication methods, and credential references. This example demonstrates setting up services for Stripe, GitHub, Anthropic, Jira, and Slack, distinguishing between Slack bot and connection tokens using path scopes. ```yaml services: - name: stripe host: api.stripe.com auth: type: bearer token: STRIPE_KEY - name: github host: "*.github.com" auth: type: bearer token: GITHUB_TOKEN - name: anthropic host: api.anthropic.com auth: type: api-key key: ANTHROPIC_KEY header: x-api-key - name: jira host: yoursite.atlassian.net auth: type: basic username: JIRA_EMAIL password: JIRA_API_TOKEN # Slack uses two credentials at the same host — distinguish via inline-path host. - name: slack-bot host: slack.com/api/* auth: type: bearer token: SLACK_BOT_TOKEN - name: slack-conn host: slack.com/api/apps.connections.* auth: type: bearer token: SLACK_CONNECTION_TOKEN ``` -------------------------------- ### Dockerfile for Agent Vault Container Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/deploy-agent-container.mdx This Dockerfile sets up a Node.js environment to run the Infisical Agent Vault. It copies the agent binary, installs dependencies, and configures the entrypoint to start the agent in run mode. ```dockerfile FROM node:20-slim COPY --from=infisical/agent-vault:latest /usr/local/bin/agent-vault /usr/local/bin/agent-vault WORKDIR /app COPY . . RUN npm ci ENTRYPOINT ["agent-vault", "run", "--", "npm", "start"] ``` -------------------------------- ### Define a Basic Auth Service with Password Source: https://github.com/infisical/agent-vault/blob/main/docs/learn/services.mdx Configure a service using HTTP Basic authentication with both username and password. This example is for authenticating to yoursite.atlassian.net. ```yaml services: - name: yoursite-atlassian-net host: yoursite.atlassian.net auth: type: basic username: JIRA_EMAIL password: JIRA_API_TOKEN ``` -------------------------------- ### X-Vault Header Example Source: https://github.com/infisical/agent-vault/blob/main/docs/agents/protocol.mdx When using instance-level agent tokens, include the 'X-Vault' header on /discover and /v1/proposals requests to specify the target vault. ```http GET {AGENT_VAULT_ADDR}/discover Authorization: Bearer {AGENT_VAULT_TOKEN} X-Vault: my-vault ``` -------------------------------- ### Get Owner Configuration Source: https://github.com/infisical/agent-vault/blob/main/docs/reference/cli.mdx Retrieves the current instance configuration settings, including invite-only status and allowed email domains. This command is restricted to owners. ```bash agent-vault owner config get ``` -------------------------------- ### Build and Install Agent Vault from Source Source: https://github.com/infisical/agent-vault/blob/main/docs/installation.mdx Compile Agent Vault from its source code. This method requires Go and Node.js and is useful for development or when you need the latest unreleased features. ```bash git clone https://github.com/Infisical/agent-vault.git cd agent-vault make build sudo mv agent-vault /usr/local/bin/ ``` ```bash export AGENT_VAULT_ADDR="http://:14321" agent-vault server ``` -------------------------------- ### Discover Available Services Source: https://github.com/infisical/agent-vault/blob/main/AGENTS.md Call this endpoint first to get a list of services with configured credentials. Ensure AGENT_VAULT_TOKEN is set and include X-Vault if using an instance-level agent token. ```shell GET {AGENT_VAULT_ADDR}/discover Authorization: Bearer {AGENT_VAULT_TOKEN} X-Vault: {vault_name} ``` -------------------------------- ### Start Agent Vault Server Source: https://github.com/infisical/agent-vault/blob/main/docs/self-hosting/local.mdx Starts the Agent Vault server. It generates a data encryption key on first run and can optionally use a master password for added security. ```bash agent-vault server ``` -------------------------------- ### Install Agent Vault CLI on VPS Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/hermes-on-vps.mdx Installs the Agent Vault CLI on the remote VPS. This command should be run after SSHing into the VPS. ```bash ssh -i ~/.ssh/agent-vault-lab root@ curl --proto '=https' --proto-redir '=https' --tlsv1.2 -fsSL https://get.agent-vault.dev | sh ``` -------------------------------- ### Start Docker Compose Source: https://github.com/infisical/agent-vault/blob/main/docs/self-hosting/docker.mdx Starts the Agent Vault service defined in docker-compose.yml in detached mode after setting the master password environment variable. ```bash export AGENT_VAULT_MASTER_PASSWORD=your-password docker compose up -d ``` -------------------------------- ### Make API Requests with cURL Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/connect-custom-agent.mdx Illustrates how to make GET and POST requests using `curl`. Agent Vault automatically handles authorization. ```bash curl "https://api.stripe.com/v1/charges?limit=10" curl -X POST "https://api.stripe.com/v1/charges" \ -d "amount=2000¤cy=usd" ``` -------------------------------- ### Start Agent Vault Server in Background Source: https://github.com/infisical/agent-vault/blob/main/docs/self-hosting/local.mdx Runs the Agent Vault server as a background process. ```bash agent-vault server -d ``` -------------------------------- ### Build Custom Agent Isolation Image Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/container-isolation.mdx This example demonstrates how to build your own Docker image for agent isolation. Ensure your Dockerfile meets the specified requirements for root execution, gosu support, iptables availability, and a specific entrypoint script structure. ```bash # Build your own image (any Dockerfile that runs as root at entry, # supports `gosu`, has `iptables` in PATH, and ends with: # ENTRYPOINT ["/usr/local/sbin/entrypoint.sh"] # where entrypoint.sh calls init-firewall.sh then execs gosu "$@" ``` -------------------------------- ### Start and Verify Hermes Gateway Service Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/hermes-on-vps.mdx Starts the Hermes gateway systemd service, waits for a few seconds, and then checks its status and network connections. This verifies that the gateway is running and communicating correctly. ```bash systemctl start hermes-gateway sleep 3 systemctl status hermes-gateway --no-pager | head -20 ss -tnp state established | grep -E 'python|14322' || echo "(none yet; wait a few seconds and re-run)" ``` -------------------------------- ### Start Agent Vault Server Source: https://github.com/infisical/agent-vault/blob/main/README.md Starts the Agent Vault server with a master password. The master password is used for data encryption and is unset after initial read. ```bash export AGENT_VAULT_MASTER_PASSWORD=your-password agent-vault server -d ``` -------------------------------- ### Set OpenClaw Entrypoint in Dockerfile Source: https://github.com/infisical/agent-vault/blob/main/docs/quickstart/openclaw.mdx Configure the Docker container's entrypoint to use `agent-vault run` to start the OpenClaw gateway. ```dockerfile ENTRYPOINT ["agent-vault", "run", "--", "openclaw", "gateway", "run"] ``` -------------------------------- ### Python Example: Making Authenticated Requests Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/connect-custom-agent.mdx This Python snippet demonstrates how to make requests using the `requests` library. When launched via `vault run`, standard HTTP clients automatically honor `HTTPS_PROXY`/`HTTP_PROXY` to route traffic through Agent Vault transparently. ```python import os, requests ``` -------------------------------- ### Run Agent Vault with Docker Source: https://github.com/infisical/agent-vault/blob/main/docs/self-hosting/docker.mdx Starts the Agent Vault container, exposing necessary ports and mounting a volume for data persistence. Pass the master password via environment variable. ```bash docker run -it -p 14321:14321 -p 14322:14322 \ -v agent-vault-data:/data \ -e AGENT_VAULT_MASTER_PASSWORD=your-password \ -e AGENT_VAULT_ADDR=https://agent-vault.example.com \ infisical/agent-vault ``` -------------------------------- ### Run Locally with Docker Compose Source: https://github.com/infisical/agent-vault/blob/main/examples/nginx-public-ui-proxy/README.md Start the Nginx reverse proxy and Agent Vault locally using Docker Compose. Access the management UI at http://localhost:8080. ```bash docker compose up ``` -------------------------------- ### Define a Basic Auth Service Source: https://github.com/infisical/agent-vault/blob/main/docs/learn/services.mdx Configure a service using HTTP Basic authentication. The 'username' field is required, and 'password' is optional. This example shows authentication for api.ashbyhq.com. ```yaml services: - name: api-ashbyhq-com host: api.ashbyhq.com auth: type: basic username: ASHBY_API_KEY ``` -------------------------------- ### Make API Requests with Node.js Fetch Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/connect-custom-agent.mdx Shows how to perform GET and POST requests using the `fetch` API in Node.js. Ensure `NODE_USE_ENV_PROXY` is set for proxy support. ```typescript // fetch() in Node.js v22.21+ honors HTTPS_PROXY/HTTP_PROXY when NODE_USE_ENV_PROXY=1. const charges = await fetch("https://api.stripe.com/v1/charges?limit=10"); console.log(await charges.json()); const newCharge = await fetch("https://api.stripe.com/v1/charges", { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: "amount=2000¤cy=usd", }); console.log(await newCharge.json()); ``` -------------------------------- ### Verify Trust-Header Stripping Source: https://github.com/infisical/agent-vault/blob/main/examples/nginx-public-ui-proxy/README.md This example demonstrates how to test trust-header stripping by uncommenting an echo service, changing the upstream, and sending specific headers. It verifies that the Authorization header is present while X-Forwarded-User is absent in the echoed response. ```bash To verify trust-header stripping in isolation, uncomment the `echo` service in `docker-compose.yml`, change the reverse proxy's `AGENT_VAULT_UPSTREAM` to `echo:8080`, then send a request with `X-Forwarded-User: attacker` and `Authorization: Bearer should-pass-through`. The echoed headers should show `Authorization` present and `X-Forwarded-User` absent. ``` -------------------------------- ### Fetch Root CA Certificate Source: https://github.com/infisical/agent-vault/blob/main/docs/reference/cli.mdx Fetches the root CA certificate for Agent Vault's proxy. Install this into your client trust store to ensure clean validation of HTTPS traffic routed through the proxy. The server must not be started with `--mitm-port 0`. ```bash agent-vault ca fetch [flags] ``` ```bash # Print to stdout agent-vault ca fetch > ca.pem ``` ```bash # Save directly to a file agent-vault ca fetch -o /etc/ssl/certs/agent-vault-ca.pem ``` ```bash # Pipe into the macOS system keychain agent-vault ca fetch | sudo security add-trusted-cert -d -r trustRoot \ -k /Library/Keychains/System.keychain /dev/stdin ``` -------------------------------- ### Install Agent Vault CLI Source: https://github.com/infisical/agent-vault/blob/main/README.md Installs the Agent Vault binary on macOS or Linux. Ensure you have curl installed. ```bash curl --proto '=https' --proto-redir '=https' --tlsv1.2 -fsSL https://get.agent-vault.dev | sh ``` -------------------------------- ### Install Agent Vault Source: https://github.com/infisical/agent-vault/blob/main/docs/reference/cli.mdx Installs the agent-vault using the provided script. The AGENT_VAULT_NO_TELEMETRY environment variable can be used to skip the anonymous install beacon. ```bash curl --proto '=https' --proto-redir '=https' --tlsv1.2 -fsSL https://get.agent-vault.dev | sh ``` ```bash curl --proto '=https' --proto-redir '=https' --tlsv1.2 -fsSL https://get.agent-vault.dev | AGENT_VAULT_NO_TELEMETRY=1 sh ``` -------------------------------- ### View Current Instance Settings via CLI Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/instance-settings.mdx Retrieve the current instance-wide settings, including invite-only status and allowed email domains. ```bash agent-vault owner settings get ``` -------------------------------- ### Configure Hermes .env with Placeholder Credentials Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/hermes-on-vps.mdx Creates and populates the .hermes/.env file with placeholder API keys and tokens. These placeholders will be substituted later. ```bash cat > ~/.hermes/.env <<'EOF' ANTHROPIC_API_KEY=__anthropic_api_key__ GITHUB_TOKEN=__github_token__ SLACK_BOT_TOKEN=__slack_bot_token__ TELEGRAM_BOT_TOKEN=__telegram_bot_token__ EOF ``` -------------------------------- ### Verify Agent Vault Installation Source: https://github.com/infisical/agent-vault/blob/main/docs/self-hosting/local.mdx Checks if the Agent Vault installation was successful by displaying the help message. ```bash agent-vault --help ``` -------------------------------- ### Build Agent Vault from Source Source: https://github.com/infisical/agent-vault/blob/main/docs/self-hosting/local.mdx Clones the Agent Vault repository, builds the binary using Go and Node.js, and moves it to the system's PATH. ```bash git clone https://github.com/Infisical/agent-vault.git cd agent-vault make build sudo mv agent-vault /usr/local/bin/ ``` -------------------------------- ### Write Systemd Drop-in Override Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/openclaw-on-vps.mdx Create a systemd drop-in override file to configure the openclaw-gateway service. This wraps the ExecStart command with 'agent-vault run' and includes the environment file. ```bash mkdir -p /root/.config/systemd/user/openclaw-gateway.service.d cat > /root/.config/systemd/user/openclaw-gateway.service.d/override.conf <<'EOF' [Service] EnvironmentFile=/etc/openclaw/agent-vault.env ExecStart= ExecStart=/usr/local/bin/agent-vault run -- /usr/bin/openclaw gateway run --port 18789 EOF ``` -------------------------------- ### Print Version Information Source: https://github.com/infisical/agent-vault/blob/main/docs/reference/cli.mdx Prints the version and build information of the agent-vault binary. ```bash agent-vault version ``` -------------------------------- ### Create a Proposal for Service Credentials Source: https://github.com/infisical/agent-vault/blob/main/cmd/skill_cli.md Use this command to create a proposal for service credentials, specifying the service name, host, authentication type, and credential details. The `--json` flag outputs the result in JSON format. ```bash agent-vault vault proposal create \ --name stripe --host api.stripe.com --auth-type bearer --token-key STRIPE_KEY \ --credential STRIPE_KEY="Stripe API key" \ -m "Need Stripe API key for billing feature" --json ``` ```bash agent-vault vault proposal create \ --credential DB_PASSWORD="Production database password" \ -m "Need database credentials" --json ``` -------------------------------- ### Install tmux Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/openclaw-on-vps.mdx Installs the tmux terminal multiplexer, which is used to keep the Agent Vault server running even after disconnecting from SSH. ```bash apt update && apt install -y tmux ``` -------------------------------- ### Initialize Agent Vault SDK and Create Session Source: https://github.com/infisical/agent-vault/blob/main/README.md Initialize the Agent Vault SDK with a token and address, then create a new proxy session. ```typescript import { AgentVault, buildProxyEnv } from "@infisical/agent-vault-sdk"; const av = new AgentVault({ token: "YOUR_TOKEN", // agent token address: "http://localhost:14321", }); const session = await av .vault("my-vault") .sessions.create({ vaultRole: "proxy" }); // certPath is where you'll mount the CA certificate inside the sandbox. const certPath = "/etc/ssl/agent-vault-ca.pem"; // env: { HTTPS_PROXY, HTTP_PROXY, NO_PROXY, NODE_USE_ENV_PROXY, // SSL_CERT_FILE, NODE_EXTRA_CA_CERTS, REQUESTS_CA_BUNDLE, // CURL_CA_BUNDLE, GIT_SSL_CAINFO, DENO_CERT } const env = buildProxyEnv(session.containerConfig!, certPath); const caCert = session.containerConfig!.caCertificate; // Pass `env` as environment variables and mount `caCert` at `certPath` // in your sandbox — Docker, Daytona, E2B, Firecracker, or any other runtime. // Once configured, the agent inside just calls APIs normally: // fetch("https://api.github.com/...") — no SDK, no credentials needed. ``` -------------------------------- ### Install Agent Vault CLI on openclaw-box Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/openclaw-on-vps.mdx SSH into your openclaw-box and download the Agent Vault CLI using curl. This installs the CLI client, not a server. ```bash ssh -i ~/.ssh/digital-ocean-1 root@ curl --proto '=https' --proto-redir '=https' --tlsv1.2 -fsSL https://get.agent-vault.dev | sh ``` -------------------------------- ### Start Agent Vault Server Source: https://github.com/infisical/agent-vault/blob/main/docs/reference/cli.mdx Starts the Agent Vault server. The default port is 14321. Configuration can be managed via environment variables or command-line flags. ```bash agent-vault server [flags] ``` -------------------------------- ### Build and Run Agent Vault Source: https://github.com/infisical/agent-vault/blob/main/CLAUDE.md Commands to build the Agent Vault binary, run the frontend development server, execute tests, and create a Docker image. Ensure tests pass before considering work complete. ```bash make build # Builds frontend (React/Vite) then Go binary make web-dev # Frontend-only hot reload (Vite on 5173, proxies API to Go on 14321) make test # go test ./... make docker # Multi-stage Docker image; data persisted at /data/.agent-vault/ ``` -------------------------------- ### Build Docker Image from Source Source: https://github.com/infisical/agent-vault/blob/main/docs/self-hosting/docker.mdx Builds the Agent Vault Docker image using a multi-stage build process. ```bash make docker ``` -------------------------------- ### Development Build and Test Commands Source: https://github.com/infisical/agent-vault/blob/main/README.md Common make commands for building, testing, and running development servers for Agent Vault. ```bash make build # Build frontend + Go binary make test # Run tests make web-dev # Vite dev server with hot reload (port 5173) make dev # Go + Vite dev servers with hot reload make docker # Build Docker image ``` -------------------------------- ### Install Agent Vault Root CA on macOS Source: https://github.com/infisical/agent-vault/blob/main/docs/self-hosting/local.mdx Installs the fetched Agent Vault root CA certificate into the system's keychain on macOS, allowing trusted TLS connections. ```bash agent-vault ca fetch | sudo security add-trusted-cert -d -r trustRoot \ -k /Library/Keychains/System.keychain /dev/stdin ``` -------------------------------- ### Stop Agent Vault Background Server Source: https://github.com/infisical/agent-vault/blob/main/docs/self-hosting/local.mdx Stops a running Agent Vault server that was started in the background. ```bash agent-vault server stop ``` -------------------------------- ### Get Laptop's Public IPv4 Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/openclaw-on-vps.mdx Retrieves your current public IPv4 address, which is needed for firewall configuration. ```bash curl -4 ifconfig.me; echo ``` -------------------------------- ### Register New Account Source: https://github.com/infisical/agent-vault/blob/main/docs/reference/cli.mdx Self-registers a new user account. The first user becomes the instance owner with admin privileges. Subsequent users require email verification. ```bash agent-vault auth register [flags] ``` -------------------------------- ### Create a Proposal using JSON Input Source: https://github.com/infisical/agent-vault/blob/main/cmd/skill_cli.md For complex scenarios, use JSON mode to define services, credentials, and messages. This allows for detailed configuration of proposal requests. ```bash agent-vault vault proposal create -f - --json <<'EOF' { "services": [{"action": "set", "name": "stripe", "host": "api.stripe.com", "auth": {"type": "bearer", "token": "STRIPE_KEY"}}], "credentials": [{"action": "set", "key": "STRIPE_KEY", "description": "Stripe API key"}], "message": "Need Stripe access" } EOF ``` -------------------------------- ### Get details of an instance-level agent Source: https://github.com/infisical/agent-vault/blob/main/docs/reference/cli.mdx Displays detailed information about a specific agent, including its associated vaults and active session count. ```bash agent-vault agent info ``` -------------------------------- ### View Proposal Details via CLI Source: https://github.com/infisical/agent-vault/blob/main/docs/learn/proposals.mdx Display the full details of a specific proposal, identified by its ID. ```bash agent-vault vault proposal show 3 --vault my-vault ``` -------------------------------- ### Verify Release Binaries with gh CLI Source: https://github.com/infisical/agent-vault/blob/main/README.md Verify the build provenance attestation for downloaded release archives using the GitHub CLI. ```bash gh attestation verify agent-vault_*.tar.gz --repo Infisical/agent-vault ``` -------------------------------- ### Configure Slack Service with Bot Token Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/openclaw-on-vps.mdx Sets up the 'slack' service with Passthrough authentication and a URL substitution for the bot token. This service also requires substitution for the app token. ```text Name: slack Host: slack.com/* Auth: Passthrough Credential / Placeholder: __slack_bot_token__ -> SLACK_BOT_TOKEN Surface: header, body ``` -------------------------------- ### Run Agent in Container with Host Directory Bind-Mount Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/container-isolation.mdx Runs the agent in a container by bind-mounting the host's `~/.claude` directory. This reuses the existing host login and project history. On macOS, it includes a bridge to handle Keychain credentials. ```bash agent-vault vault run --isolation=container --share-agent-dir -- claude ``` -------------------------------- ### Configure Notion Service Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/openclaw-on-vps.mdx Sets up the 'notion' service with Bearer authentication, referencing the NOTION_TOKEN credential. No URL substitutions are needed for this service. ```text Name: notion Host: api.notion.com Auth: Bearer Token key: NOTION_TOKEN ``` -------------------------------- ### Get Credential Value from Vault Source: https://github.com/infisical/agent-vault/blob/main/docs/reference/cli.mdx Retrieves and prints the decrypted value of a single credential. Requires member+ role and is pipe-friendly. In agent mode, the vault is required. ```bash agent-vault vault credential get [flags] ``` -------------------------------- ### Create Vault Proposal (JSON File) Source: https://github.com/infisical/agent-vault/blob/main/docs/reference/cli.mdx Creates a vault proposal by reading configuration from a JSON file. This method supports complex, multi-service proposals and URL substitutions. Use '-' for stdin. ```bash agent-vault vault proposal create -f proposal.json ``` -------------------------------- ### Direct Request Routing Example Source: https://github.com/infisical/agent-vault/blob/main/docs/agents/protocol.mdx Agents route requests directly to the upstream host. Agent Vault pre-configures HTTPS_PROXY/HTTP_PROXY to transparently handle routing and inject credentials. ```http GET https://api.stripe.com/v1/charges?limit=10 ``` -------------------------------- ### Configure GitHub Service Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/openclaw-on-vps.mdx Sets up the 'github' service with Bearer authentication, referencing the GITHUB_TOKEN credential. No URL substitutions are needed for this service. ```text Name: github Host: api.github.com Auth: Bearer Token key: GITHUB_TOKEN ``` -------------------------------- ### Show Credential Store Configuration Source: https://github.com/infisical/agent-vault/blob/main/docs/learn/credential-stores.mdx Inspect the configured credential store for a specific vault using the `agent-vault vault credential-store show` command. ```bash agent-vault vault credential-store show my-app ``` -------------------------------- ### Establish SSH Tunnel to Agent Vault Broker Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/hermes-on-vps.mdx Use this command to create an SSH tunnel to the Agent Vault broker. Leave this terminal running for the duration of the guide. ```bash ssh -i ~/.ssh/agent-vault-lab -L 14321:10.0.0.2:14321 root@ -N ``` -------------------------------- ### Request Access to New Services via Proposals Source: https://github.com/infisical/agent-vault/blob/main/AGENTS.md Create a proposal to request access for a host not found in /discover. The 403 response provides a 'proposal_hint'. Ensure you know the target service's authentication method before proposing. ```json POST {AGENT_VAULT_ADDR}/v1/proposals Authorization: Bearer {AGENT_VAULT_TOKEN} Content-Type: application/json { "services": [{ "action": "set", "name": "stripe", "host": "api.stripe.com", "auth": {"type": "bearer", "token": "STRIPE_KEY"} }], "credentials": [{ "action": "set", "key": "STRIPE_KEY", "description": "Stripe API key", "obtain": "https://dashboard.stripe.com/apikeys", "obtain_instructions": "Developers > API Keys > Reveal test key" }], "message": "Need Stripe API key for billing feature", "user_message": "I need access to your Stripe account to build the checkout page." } ``` -------------------------------- ### Create an agent with an instance role Source: https://github.com/infisical/agent-vault/blob/main/docs/agents/overview.mdx When creating an agent, specify its instance-level role using the `--role` flag. This determines the agent's permissions for instance-scoped actions. ```bash # Create an agent as an instance owner agent-vault agent create my-agent --role owner # Create an agent as an instance member (can list users/agents, create vaults) agent-vault agent create my-agent --role member ``` -------------------------------- ### Create an instance-level agent Source: https://github.com/infisical/agent-vault/blob/main/docs/reference/cli.mdx Creates a new instance-level agent and outputs its token. This token should be supplied to the agent's runtime via the AGENT_VAULT_TOKEN environment variable. ```bash agent-vault agent create [flags] ``` ```bash # Create with vault pre-assignments agent-vault agent create my-agent --vault default:proxy --vault payments:member # Create as an instance owner agent-vault agent create my-agent --role owner --vault default:admin ``` -------------------------------- ### Configure Agent Vault Transparent Proxy Source: https://github.com/infisical/agent-vault/blob/main/docs/self-hosting/local.mdx Starts the Agent Vault server with the transparent proxy enabled on the default port 14322. The proxy handles both HTTP and HTTPS traffic. ```bash agent-vault server agent-vault server --mitm-port 0 ``` -------------------------------- ### List all agents Source: https://github.com/infisical/agent-vault/blob/main/docs/agents/overview.mdx Retrieve a list of all agents configured within the instance using the `agent list` command. ```bash agent-vault agent list ``` -------------------------------- ### Review Pending Proposals Interactively via CLI Source: https://github.com/infisical/agent-vault/blob/main/docs/learn/proposals.mdx Engage in an interactive session to review and act upon pending proposals one by one. ```bash agent-vault vault proposal review --vault my-vault ``` -------------------------------- ### List all users on the instance Source: https://github.com/infisical/agent-vault/blob/main/docs/reference/cli.mdx Retrieves a list of all users present on the instance. This command is restricted to owners. ```bash agent-vault owner user list ``` -------------------------------- ### Set Dockerfile Entrypoint for Agent Vault Source: https://github.com/infisical/agent-vault/blob/main/docs/quickstart/hermes-agent.mdx Configure the Docker entrypoint to use `agent-vault run`. This ensures Hermes Agent starts with the necessary proxy configurations for Agent Vault integration. ```dockerfile ENTRYPOINT ["agent-vault", "run", "--", "hermes"] ``` -------------------------------- ### Enable Invite-Only Registration via CLI Source: https://github.com/infisical/agent-vault/blob/main/docs/guides/instance-settings.mdx Use this command to enable invite-only registration, disabling self-registration for new users. ```bash # Enable invite-only agent-vault owner settings set --invite-only ``` -------------------------------- ### Run OpenClaw Gateway with Agent Vault CLI Source: https://github.com/infisical/agent-vault/blob/main/docs/quickstart/openclaw.mdx Execute the OpenClaw gateway command using the agent-vault run command. This automatically configures proxy settings and installs the Agent Vault skill. ```bash agent-vault run -- openclaw gateway run ``` -------------------------------- ### Install Agent Vault CLI in Dockerfile Source: https://github.com/infisical/agent-vault/blob/main/docs/quickstart/claude-code.mdx Add the Agent Vault CLI binary to your Docker image by copying it from the official `infisical/agent-vault` image. This makes the `agent-vault` command available within the container. ```dockerfile COPY --from=infisical/agent-vault:latest /usr/local/bin/agent-vault /usr/local/bin/agent-vault ``` -------------------------------- ### Upgrade Agent Vault from Source Source: https://github.com/infisical/agent-vault/blob/main/docs/self-hosting/maintenance.mdx Upgrade an Agent Vault installation by rebuilding from the latest source code. This involves pulling the latest changes from the Git repository, recompiling the binary, and replacing the existing executable. ```bash cd agent-vault git pull make build sudo mv agent-vault /usr/local/bin/ ``` -------------------------------- ### List All Proposals via CLI Source: https://github.com/infisical/agent-vault/blob/main/docs/learn/proposals.mdx Retrieve a list of all proposals within a specified vault, regardless of their status. ```bash agent-vault vault proposal list --vault my-vault ```