Skip to main content
Agent Vault ships as a single binary that acts as both a server and CLI client. Install it once, then use agent-vault server to run a server and agent-vault auth login to interact with it.

Install

Auto-detects your OS and architecture, downloads the latest release, and installs. Works for both fresh installs and upgrades (backs up your database before upgrading).
curl -fsSL https://get.agent-vault.dev | sh
Supports macOS (Intel + Apple Silicon) and Linux (x86_64 + ARM64).
On a successful install the script sends an anonymous ping (OS, architecture, version — nothing else) so we can count installs for the launch. Opt out by placing AGENT_VAULT_NO_TELEMETRY=1 in front of sh, not curl:
curl -fsSL https://get.agent-vault.dev | AGENT_VAULT_NO_TELEMETRY=1 sh
Verify the installation: 
agent-vault --help

Verify a release (optional)

Every release includes SHA-256 checksums and a cosign signature for supply-chain security. No keys to manage - verification uses GitHub’s OIDC identity. 
# Download the checksums and signature bundle from the release page, then:

# 1. Verify the binary hasn't been tampered with
sha256sum --check checksums.txt

# 2. Verify the checksums were signed by the Infisical/agent-vault GitHub Actions workflow
cosign verify-blob \
  --bundle checksums.txt.bundle \
  --certificate-identity-regexp "github.com/Infisical/agent-vault" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  checksums.txt

Upgrade

Re-run the same install command — the script detects your existing installation, stops the running server, backs up your database, and installs the latest version:
curl -fsSL https://get.agent-vault.dev | sh
Restart the server afterward:
agent-vault server
Database migrations run automatically on server startup — no manual steps required.

Start a server

agent-vault server
On first run, Agent Vault generates a random data encryption key (DEK) that encrypts all credentials at rest with AES-256-GCM. You can optionally set a master password to wrap the DEK (leave it empty for passwordless mode). The master password is never stored on disk. For non-interactive or automated environments, set the AGENT_VAULT_MASTER_PASSWORD environment variable or pass --password-stdin. Omit it entirely for passwordless mode. See environment variables for all options. To run in the background: 
agent-vault server -d
To stop a background server: 
agent-vault server stop

Register and log in

The first user to register becomes the instance owner with full admin privileges and is automatically granted admin on the default vault. Any CLI command that needs authentication will walk you through registration and login automatically — just run the command you want and follow the prompts. You can also register explicitly:
bash agent-vault auth register agent-vault auth login
Subsequent users can self-register via agent-vault auth register, the web registration page, or be invited to a vault by a vault admin. Once registered, you can manage Agent Vault through either the web dashboard or entirely via the CLI. Both give you full access to services, credentials, agents, and proposal approvals.

Next steps

Your first proposal

Invite an agent and approve your first request.

Connect an agent

Agent-specific setup guides for Claude Code, Cursor, and more.