AVPAgent Vault Protocol

Agent Vault Protocol

Open standard for secure agent credentials, memory, and runtime access control

AVP defines a standard vault layer for AI agents. It specifies how credentials and memory are stored, scoped, audited, and revoked across tools, frameworks, and runtimes.

Local encrypted vaults
Permission-based runtime access
Auditable agent sessions
View on GitHubRead the SpecificationQuickstart

Agent Security Architecture

AVP sits between the agent runtime and the credentials, memory, and external services it needs. Instead of exposing the full host environment, AVP filters access through profiles, encrypted storage, session controls, and audit logging.

Agent Runtime

Claude Code
Cursor
LangChain
CrewAI
AutoGen
Any agent framework

AVP Vault Layer

AVP specifies this
Credential Slots
Memory Files
Permission Profiles
Session Manager
Audit Trail
AES-256-GCMKey derivationAccess decisionsRevocationAppend-only audit

External Systems

LLM APIs
Cloud credentials
Databases
Payment APIs
Internal services

Agents never receive unrestricted environment access. AVP scopes what they can read, records every access decision, and allows sessions to be revoked.

Core Protocol Primitives

AVP is built from a small set of interoperable primitives that implementations can adopt consistently across runtimes and tools.

Permission Profiles

Rules that allow, deny, or redact credential access at runtime.

Encrypted Vault

Credential and memory storage encrypted at rest.

Audit Trail

Append-only record of every access decision before enforcement.

Session Management

Time-limited sessions with revocation and process shutdown.

Memory Layer

Encrypted operational knowledge and reusable agent memory.

Portable Format

Transferable vault format for moving secure state across systems.

Where AVP Fits in the Stack

Centralized secret managers handle storage, rotation, and distribution across systems. AVP handles runtime access control for AI agents.

It defines:

  • What an agent can access
  • How access is filtered
  • How every decision is recorded
  • How sessions are revoked

Centralized Secret Stores

HashiCorp Vault, AWS SM, .env

Host Environment / Local Vault

Credentials available at runtime

AVP Runtime Control Layer

Access control, audit, sessions, revocation

AVP

AI Agent Runtime

Claude Code, Cursor, LangChain, any framework

Most Agent Runtimes Still Miss Three Core Controls

No scoping

Agents often inherit full environment access instead of only the credentials they need.

No visibility

There is rarely a standard audit trail for what was accessed, when, and why.

No revocation

Once an agent is running, access is difficult to cut off cleanly and immediately.

Specification Overview

AVP defines interoperable components for storage, access control, auditing, revocation, and secure agent memory.

Encrypted Vault

AES-256-GCM encrypted credential storage with scrypt key derivation.

Permission Profiles

YAML-based rules with last-match-wins semantics and three pattern types.

Audit Trail

Append-only log of every credential access decision, written before enforcement.

Session Management

UUID-tracked sessions with TTL enforcement and instant revocation.

Encrypted Memory

Agent knowledge and operational data with keyword search and confidence scoring.

Portable Format

Self-contained .avault files with independent passphrases for vault transfer.

MCP Interface

Model Context Protocol tools for programmatic vault, memory, and audit access.

Memory Banks

Distributable memory collections for sharing agent knowledge across systems.

Reference Use Cases

Practical scenarios where AVP controls credential exposure at runtime.

Scoped coding assistants

Allow agents to access development variables while redacting cloud or production credentials.

Audited CI/CD pipelines

Run short-lived agent sessions with policy-enforced access and logged decisions.

Untrusted third-party agents

Start from deny-by-default and expand access only as trust increases.

Emergency revocation

Revoke all active sessions, cut credential access, and review the full audit trail.

Persistent agent memory

Store operational knowledge encrypted at rest, searchable across sessions.

Design Principles

Six principles that guide every design decision in AVP.

Local-first

All data stays on your machine. No network calls required. No cloud dependency.

Deny by default

Credentials are denied unless explicitly allowed by a profile rule. Fail closed.

Audit everything

Every access decision is logged before enforcement. Immutable, append-only trail.

Simple to implement

Core policy matching is intentionally small and easy to implement across languages.

Framework-agnostic

Works with any agent, tool, or runtime that uses environment variables. Not tied to any vendor.

Human-readable

Profiles are YAML. Audit logs are queryable SQL. Vault entries are structured JSON.

Implementations and Early Adopters

AVP is already being implemented across agent tooling and infrastructure layers.

ImplementationLanguageLevelTypePublisher
AgentVaultTypeScriptLevel 3ReferenceInflectiv

Building an AVP-compliant tool? Open an issue to get listed.

Conformance Levels

Implementations can start small and grow into deeper protocol support over time.

Level 1: Core

Required

  • Profile schema and rule matching
  • Three-state access model (allow/deny/redact)
  • System variable passthrough
  • Audit trail logging
Level 2: Full

Recommended

  • Everything in Level 1
  • Encrypted vault (random per-file salt)
  • Session management + revocation
  • Encrypted agent memory
  • Memory search algorithm
  • Standard directory structure
  • TTL enforcement
Level 3: Extended

Optional

  • Everything in Level 2
  • Portable vault format (.avault)
  • Memory banks
  • MCP server interface
  • Graceful shutdown

Threat Model

AVP is explicit about its security boundaries. It reduces runtime credential exposure and improves visibility, but it does not replace host security, sandboxing, or transport security.

AVP protects against

Agent reads forbidden credentials

Profile-based allow/deny/redact filters credentials before the agent sees them

Credentials exposed on disk

AES-256-GCM encryption at rest with scrypt key derivation and per-file random salts

No visibility into agent access

Immutable audit trail logs every decision before enforcement

Runaway agent sessions

TTL enforcement with automatic revocation and emergency kill switch

AVP does NOT protect against

Compromised host OS

If an attacker has root access, they can read process memory or modify binaries. AVP relies on OS-level security.

Malicious agent with code execution

An agent could attempt to read /proc/self/environ or similar. Use OS sandboxing for high-security deployments.

Side-channel attacks on encryption

AES-256-GCM and scrypt are well-studied but AVP does not mandate constant-time implementations.

Brute-force of weak passphrases

scrypt provides computational resistance, but a weak passphrase remains vulnerable.

Resources

Everything you need to understand, implement, and extend AVP.

GitHub: inflectiv/agentvaultprotocol

Reference implementation, source code, issues, and discussions. Start here.

Documentation

Concepts, architecture, and implementation guides

Specification

Complete AVP v1.0 standard

Examples

Ready-to-use profiles and reference flows

JSON Schemas

Validation files for interoperable implementations

Open Protocol Governance

AVP is an open standard published by Inflectiv and designed for framework-agnostic adoption.

Changes to the protocol are proposed, reviewed, and tracked publicly through GitHub and future AVP Improvement Proposals.

GitHub repository →Contributing guide →Discussions →