Documentation

Getting Started

Learn the core concepts of the Agent Vault Protocol and how to implement it in your tools.

Overview

What AVP is and why it matters.

What is AVP?

The Agent Vault Protocol (AVP) is an open standard that defines how AI agents access credentials, environment variables, and encrypted memory. It provides a consistent, auditable, and revocable way to control agent access across any tool, framework, or platform.

Who is AVP for?

Tool builders. Building an AI agent, IDE extension, or orchestration framework? Implement AVP to give users control over credential access.

Platform teams. Running AI agents in CI/CD, staging, or production? AVP profiles let you scope what each agent can see.

Security engineers. Need audit trails, session revocation, and encryption at rest? AVP specifies all of these.

Version:This documentation covers AVP v1.0 (Stable, 2026-03-17). For the full technical specification, see the Specification page.

Core Concepts

The building blocks of AVP.

Concept	What it does
Vault	Encrypted store for credentials (AES-256-GCM). Secrets never stored in plaintext.
Profiles	YAML rules that determine which credentials an agent can access (allow/deny/redact).
Sandbox	Runtime that filters the environment based on the active profile before spawning the agent.
Audit Trail	Append-only log of every access decision, written before enforcement.
Sessions	UUID-tracked execution contexts with TTL enforcement and instant revocation.
Memory	Encrypted storage for agent knowledge, cached queries, and operational state.
Portable Format	Self-contained .avault files for transferring vaults between machines.
Memory Banks	Distributable memory collections with licensing and access control.
MCP Server	11 tools exposed via Model Context Protocol for programmatic vault access.

How It Works

1. Define a permission profile (YAML)
2. An AVP-compliant tool creates a session
3. Credentials are loaded from the vault + host environment
4. Each credential is evaluated against the profile rules
5. Access decisions are logged to the audit trail
6. The agent runs in a filtered environment
7. Session ends → marked inactive

Permission Profiles

Control what agents can see with declarative YAML rules.

Profiles are the core access control mechanism in AVP. Each profile contains an ordered list of rules that are evaluated using last-match-wins semantics — like .gitignore or CSS specificity.

Example: Moderate Profile(YAML)

name: moderate
description: "Allow dev variables, redact cloud secrets"
trustLevel: 50
ttlSeconds: 3600
rules:
  - pattern: "*"          # Start by denying everything
    access: deny
  - pattern: NODE_ENV     # Allow specific dev variables
    access: allow
  - pattern: DEBUG
    access: allow
  - pattern: AWS_*        # Redact all AWS credentials
    access: redact
  - pattern: OPENAI_*     # Redact API keys
    access: redact

Pattern Types

Pattern	Example	Matches
Wildcard (*)	*	All variable names
Prefix (PREFIX_*)	AWS_*	AWS_ACCESS_KEY, AWS_SECRET_KEY, etc.
Exact (NAME)	NODE_ENV	Only NODE_ENV exactly

No Regex:AVP intentionally excludes regex patterns. Only three deterministic pattern types are supported to ensure predictable, cross-implementation consistency.

Access Decisions

The three-state model applied to every credential.

Decision	What happens	Use case
Allow	Original value is passed to the agent	Safe variables like NODE_ENV, DEBUG
Deny	Variable is excluded entirely from the environment	Sensitive secrets the agent must not see
Redact	Name is kept, value replaced with VAULT_REDACTED_<hex>	Agent sees the variable exists but cannot read its value

Additionally, system variables (PATH, HOME, USER, SHELL, TERM, LANG, LC_ALL, TMPDIR, NODE_PATH) always pass through unconditionally and are not logged.

Agent Memory

Encrypted, searchable storage for agent knowledge.

AVP specifies an encrypted memory system that allows agents to store and retrieve knowledge across sessions. All memory is encrypted at rest using the same AES-256-GCM scheme as the vault.

Memory Type	Purpose	Typical Lifetime
knowledge	Learned facts, documentation, reference material	Weeks to months
query_cache	Cached API responses and search results	Minutes to hours
operational	Workflow state, preferences, config snapshots	Hours to days

Search

Memory entries are found using keyword-based search. The algorithm extracts keywords from the query, matches them against entry keywords, and ranks results using a scoring formula that considers match ratio, confidence, freshness, and access frequency. An O(1) query hash shortcut is available for exact cache hits.

Limits:Maximum 10,000 memory entries or 50 MB file size. Implementations MUST reject entries when limits are reached.

Sessions & Audit

Track agent execution and log every access decision.

Sessions

Every agent execution is wrapped in a session with a UUID, agent ID, profile name, PID, and timestamp. Sessions can be revoked individually or all at once (kill switch). Three environment variables are injected: AGENTVAULT_SESSION, AGENTVAULT_PROFILE, AGENTVAULT_TRUST.

Audit Trail

AVP requires an immutable, append-only log of every credential access decision. Each entry records the session ID, agent ID, profile name, variable name, action taken, and timestamp. Audit entries MUST be written before the access decision is enforced.

Audit Entry Fields

id         - Auto-incremented identifier
sessionId  - Links to the active session (UUID)
agentId    - Identifies the agent
profileName - Profile used for evaluation
varName    - Credential name evaluated
action     - "allow", "deny", or "redact"
timestamp  - ISO 8601 timestamp

Storage:SQLite is the recommended storage format. The audit trail MUST be append-only — individual entry deletion SHOULD NOT be permitted.

MCP Integration

Exposing vault, memory, and audit as Model Context Protocol tools.

AVP specifies a Model Context Protocol (MCP) server interface with 11 tools. Agents can interact with the vault programmatically instead of relying on subprocess sandboxing. Two transport options are supported: stdio (recommended for local use) and SSE (for remote/multi-client scenarios with token auth).

Tool	Description
vault.secret.get	Retrieve a credential by key
vault.secret.list	List all credential keys (no values)
vault.memory.store	Store a memory entry
vault.memory.query	Search memories by keyword
vault.memory.list	List memory entry metadata
vault.memory.remove	Remove a memory entry
vault.audit.show	Query the audit trail
vault.status	Show vault/memory counts and sizes
vault.profile.show	Show active profile details
vault.preview	Preview access decisions without enforcement
vault.export	Export to portable format

Rate Limiting:Default rate limit is 60 calls per minute. Budget state is persisted to mcp-budget.json.

Directory Layout

The standard filesystem structure for AVP data.

Standard Layout

.agentvault/
├── profiles/          # Permission profile YAML files
│   ├── restrictive.yml
│   ├── moderate.yml
│   └── permissive.yml
├── vault.json         # Encrypted credentials
├── memory.json        # Encrypted agent memory
├── sessions.json      # Active sessions
├── audit.db           # SQLite audit trail
├── mcp-budget.json    # Rate limit budget
├── purchased-banks/   # Memory banks
├── .passphrase        # Encryption key (mode 0600)
└── .gitignore         # Prevents accidental commits

The .gitignore file MUST contain * and !.gitignore to prevent accidental commit of sensitive data.

Code Examples

Reference implementations for core AVP algorithms.

These pseudocode examples show the core algorithms that any AVP implementation must support. They are language-agnostic and can be adapted to TypeScript, Python, Go, or any other language.

Pattern Matching

matchRule — core pattern matching(pseudocode)

function matchRule(varName, pattern):
    if pattern == "*":
        return true                          // wildcard matches everything
    if pattern ends with "*":
        prefix = pattern[0 .. length-2]      // strip trailing *
        return varName starts with prefix    // prefix match
    return varName == pattern                // exact match

Rule Evaluation (Last-Match-Wins)

checkAccess — evaluate profile rules(pseudocode)

function checkAccess(profile, varName):
    result = "deny"                         // default if no rules match
    for each rule in profile.rules:         // iterate in declaration order
        if matchRule(varName, rule.pattern):
            result = rule.access            // overwrite with latest match
    return result                           // "allow", "deny", or "redact"

Redaction Token Generation

generateRedactionToken(pseudocode)

function generateRedactionToken():
    randomBytes = crypto.randomBytes(8)     // 8 bytes minimum entropy
    hex = randomBytes.toHex()               // 16 hex characters
    return "VAULT_REDACTED_" + hex

// Example output: VAULT_REDACTED_a1b2c3d4e5f6a7b8
// Each redaction generates a UNIQUE token — never reuse tokens

Sandbox Execution Flow

sandboxAgent — full execution flow(pseudocode)

function sandboxAgent(profile, agentCommand):
    session = createSession(profile.name, agentCommand)
    credentials = loadVault() + loadHostEnvironment()
    filteredEnv = {}

    for each (name, value) in credentials:
        if name in SYSTEM_VARS:             // PATH, HOME, USER, SHELL, etc.
            filteredEnv[name] = value        // passthrough, not logged
            continue

        decision = checkAccess(profile, name)
        auditLog(session.id, name, decision) // log BEFORE enforcement

        if decision == "allow":
            filteredEnv[name] = value
        else if decision == "redact":
            filteredEnv[name] = generateRedactionToken()
        // "deny" → variable excluded entirely

    // Inject session metadata
    filteredEnv["AGENTVAULT_SESSION"] = session.id
    filteredEnv["AGENTVAULT_PROFILE"] = profile.name
    filteredEnv["AGENTVAULT_TRUST"]   = str(profile.trustLevel)

    // Spawn agent as child process with filtered environment
    spawnChildProcess(agentCommand, env=filteredEnv)
    onExit: markSessionInactive(session.id)

MCP Tool Call Example

vault.secret.get — JSON-RPC request/response(JSON)

// Request
{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "vault.secret.get",
    "arguments": { "key": "OPENAI_API_KEY" }
  },
  "id": 1
}

// Success response
{
  "jsonrpc": "2.0",
  "result": {
    "content": [{
      "type": "text",
      "text": "{ \"success\": true, \"data\": { \"key\": \"OPENAI_API_KEY\", \"value\": \"sk-abc123...\" } }"
    }]
  },
  "id": 1
}

// Error response (key not found)
{
  "jsonrpc": "2.0",
  "result": {
    "content": [{
      "type": "text",
      "text": "{ \"success\": false, \"error\": \"Key not found\", \"code\": \"KEY_NOT_FOUND\" }"
    }],
    "isError": true
  },
  "id": 1
}

Test Vectors:For complete reference inputs and expected outputs, see the test vectors in the protocol repository.

Ready to dive deeper?

Read the full specification for complete schemas, algorithms, and conformance requirements.

Full Specification View Examples