Token Vault

Token Vault Documentation

Secure credential management and MCP proxy for AI agents

Token Vault is a full-stack platform for secure token management and MCP proxy for AI agents. It stores external service credentials (GitHub PATs, Google APIs, and more) in an encrypted vault, acts as an MCP proxy between AI agents and external services, and provides a dashboard for token and vault management.

Quick Start

Get up and running in minutes

Follow these four steps to start managing your credentials securely.

1. Create an account

Sign up with Google on the login page.

2. Configure your vault

Go to Settings > Vault and run the setup wizard. Choose your vault mode.

3. Add your first token

From the Tokens page, click "Connect GitHub", "Connect Google", or "Add Custom Token".

4. Create an MCP proxy or agent

Set up an MCP proxy or create an Agent with direct credential grants.

Getting Started

Overview

Architecture, core concepts, and how Token Vault fits into your workflow.

Setup

Create your account, configure your vault, and connect your first service.

Token Management

Add tokens via OAuth or manually. Token types and automatic refresh.

Vault Modes

Vault Modes

Compare Platform Mode and Webhook Mode - choose your trust model.

Platform Mode

Zero-config managed encryption. Token Vault stores and encrypts everything for you.

Webhook Mode

Full data sovereignty with webhook-owned encryption and a kill switch.

Security

Encryption

AES-256-GCM encryption with platform-held or webhook-owned key management.

Credential Retrieval

How credentials are retrieved in Platform Mode and Webhook Mode.

Agents & Integrations

MCP Proxy

Set up a secure proxy so AI agents never see your real credentials.

Agents & Grants

Create agent identities with scoped, time-limited credential access.

tvault CLI

Command-line tool for managing tokens, agents, and vault operations.

Example Webhook

Reference webhook server implementation. Clone and run locally with Docker.

Policies

Access Policies

ABAC rules for time windows, IP allowlists, rate limits, usage caps, and manual approval.

Push Notifications

Real-time alerts and manual approval prompts on your phone.

Webhook Integration

Overview

HMAC-signed endpoints for secure token storage and credential access.

Endpoints

Detailed request and response schemas for every /v1/ endpoint.

Authentication

HMAC-SHA256 signing, timestamp validation, and replay prevention.

Security & IP Whitelisting

Static IP configuration, kill switch, and security best practices.

Debug & Testing Tools

Interactive endpoint tester, security verification, and latency diagnostics.

What is Token Vault? Architecture & Core Concepts

Secure credential management and MCP proxy for AI agents - store, encrypt, and control access to your API keys and OAuth tokens.

On this page

Quick Start1. Create an account2. Configure your vault3. Add your first token4. Create an MCP proxy or agentGetting StartedVault ModesSecurityAgents & IntegrationsPoliciesWebhook Integration