Agent quickstart
This gets Claude Code or Cursor talking to a zero-knowledge vault: you register the agent, send it one command, and it sets itself up — installs the MCP server, starts the local daemon, registers its credentials. You never handle a key. The server never sees a secret.
Step 1 — Create your account ~1 min
Sign up (free) and set your vault passphrase. The passphrase encrypts everything client-side — we can't read your vault, which also means we can't reset it, so save the recovery codes it gives you.
Step 2 — Register your agent ~30 s
In the dashboard, choose Onboard an agent and give it a name (e.g. Claude_Code). You'll get a one-time onboarding message containing a single setup command with an embedded setup link. The link's passphrase lives in the URL fragment (#…) — browsers never transmit fragments, so the server never sees it either.
Step 3 — Send your agent the command ~2 min, the agent does the work
Paste the onboarding message into your agent's chat. It looks like this:
# Verifies the script signature, installs/updates the MCP server, burns this link
curl -fsSL https://wundervault.com/onboard -o /tmp/wv-onboard.py \
&& python3 /tmp/wv-onboard.py "https://wundervault.com/setup/agent/<token>#<passphrase>"
The onboarding script is Ed25519-signed and self-verifying. It installs @wundervault/mcp-server from npm if missing (the only prerequisite is Node.js), starts the local daemon (with a systemd unit so it survives reboots), registers the agent's credentials, burns the one-time link, and prints the MCP config values your agent needs for the last step.
Step 4 — Add the MCP config usually automatic
Your agent normally does this step itself — the onboarding output ends with the exact command and agent name, and an agent like Claude Code or Cursor will typically wire it into its own config without your help. If it doesn't, or you're setting up manually, here's what goes where:
Claude Code
claude mcp add wundervault \
-e WUNDERVAULT_AGENT_NAME=<YourAgentName> \
-- wundervault-mcp
Or add it to ~/.claude.json under mcpServers — Claude Code picks up changes automatically, no restart needed.
Cursor
Add to ~/.cursor/mcp.json (all projects) or .cursor/mcp.json in a project:
{
"mcpServers": {
"wundervault": {
"command": "wundervault-mcp",
"env": { "WUNDERVAULT_AGENT_NAME": "<YourAgentName>" }
}
}
}
Then reload MCP servers from Cursor's settings (Settings → MCP). The agent's auth token is auto-discovered from ~/.wundervault/agents/<name>.token — don't put it in the config file.
Step 5 — The moment it's for ~30 s
- In the dashboard, add a secret (an API key, a database password) and send it to your agent's vault. Your browser re-encrypts it with the agent's vault key before upload — the server stores a blob it cannot open.
- Ask your agent to use it: "fetch the
ProdDbPasswordentry from your vault and check the database connection." - The agent retrieves the encrypted entry, decrypts it locally, and uses it. With
vault_exec, the secret is injected straight into the process environment — the raw value never even enters the agent's context window.
That's the whole product: your agent just used a credential that neither our server, nor the model's context, ever saw in plaintext. Every retrieval is written to a tamper-evident audit log you can review in the dashboard.
Interested in a managed option?
Wundervault is free while we build. If you'd want a hosted tier with SLAs, teams, and support — leave an email and we'll tell you when it exists. Nothing else is sent, ever.