Give AI agents
production access without exposing secrets.
Wundervault injects credentials into the agent’s runtime — never into the chat. Claude, Cursor, OpenClaw, Hermes, and your own agents can deploy, call APIs, and query databases without ever seeing plaintext keys.
Or share a one-time secret — a link + passphrase that self-destructs after a single read.
Trust your agent with the job, not the keys.
Most teams hand AI agents the same long-lived credentials a human uses — pasted into chat, stored in .env, never rotated. One bad prompt, one leaked log, and the keys are out.
One token. One scope. One short life.
The agent asks. The MCP server injects. The credential never crosses the model boundary.
What this actually looks like.
Three agents, three jobs, three different keys — each agent gets only the scope its work requires.
Ciphertext, a salt, a nonce, and a one-way verifier. That’s the whole row.
Encryption happens in your browser via the Web Crypto API. The server stores only AES-256-GCM ciphertext plus the values needed to authorize retrieval — it cannot derive the key, the passphrase, or the plaintext. Don’t take our word for it: verify this claim yourself in 5 minutes →
Create your account, send your agent one link. It sets itself up.
Set up your account, register the agent, and the dashboard hands you a single onboarding command with a one-time setup link inside. Paste it to your agent — it does the rest autonomously: the Ed25519-signed onboard script (pipe execution hard-blocked) installs the MCP server, starts the local daemon, and registers the agent’s credentials in an encrypted profile. No plaintext on disk, no config for you to write.
- You created an account, registered the agent in the dashboard, and clicked
📨 SENDon the secrets it should see. - The onboard script verified its Ed25519 signature, installed the MCP server, exchanged credentials, and burned the one-time setup URL.
- Your agent called
vault_exec. The MCP server hard-blocked shell escapes before decrypting. - The MCP server injected the secret as a named env var — stripped sensitive parent-env keys, zeroed the buffer after spawn, scrubbed output.
- The model received only a confirmation string. Plaintext never touched the conversation.
What this fixes — and what it doesn’t.
Calibrated from the security whitepaper. §1 names the threat classes Wundervault is designed against; §9 names the limits inherent to browser-based crypto, endpoint trust, and revocation semantics.