AVPAgent Vault Protocol

AI agents run with unrestricted access to the credentials, API keys and sensitive data

The Agent Vault Protocol defines a secure vault for credentials and agent memory — encrypted at rest, scoped by permission profiles, audited on every access, and revocable in an instant. It works with any agent, tool, or framework.

Read the SpecificationGetting Started

FOUR LAYERS OF DEFENSE

01

Access Control

Permission profiles that scope which credentials each agent can see — allow, deny, or redact.

02

Encrypted Storage

Credentials and agent memory encrypted at rest with AES-256-GCM and per-file random salts.

03

Audit Trail

Immutable, append-only log of every access decision — written before enforcement.

04

Session Control

Time-limited sessions with instant revocation. Kill all active agent sessions in one command.

Why now?

AI agents are powerful. They write code, deploy infrastructure, manage databases, make API calls, and operate autonomously across your development stack. Tools like Claude Code, Cursor, GitHub Copilot, LangChain, and CrewAI can access your AWS keys, database credentials, API tokens, crypto wallets, and payment integrations — everything in your environment.

But that power comes with risk. Researchers have already demonstrated tool poisoning attacks where malicious MCP servers embed hidden instructions that trick agents into exfiltrating SSH keys and configuration files without user awareness. Tool shadowing attacks hijack trusted tools to redirect emails and data to attacker-controlled endpoints. In one demonstration, a fake tool stole WhatsApp message history by silently rerouting messages while hiding the exfiltration off-screen. These aren't theoretical — they've been proven against real tools like Cursor and popular MCP integrations.

Yet there is no standard for controlling what an agent can see. No way to scope credential access. No audit trail. No revocation mechanism. If an agent is compromised, manipulated through prompt injection, or simply behaves unexpectedly, you have no defense and no record of what happened.

The problem

Three critical gaps exist in every AI agent deployment today.

No scoping

When you run an AI agent, it inherits your entire environment. There's no way to say "allow NODE_ENV but deny AWS_SECRET_KEY." It's all or nothing.

No visibility

You have no record of which credentials an agent accessed, when, or whether it was necessary. If a secret is exfiltrated, there's no audit trail to investigate.

No revocation

Once an agent starts, you can't revoke its access to specific credentials without killing the entire process. There's no session management or kill switch.

Where AVP fits

AVP is primarily an access control and permissions layer for AI agents. It also specifies an encrypted vault for storing credentials at rest (AES-256-GCM), but it does not handle credential rotation or centralized multi-service management.

Tools like HashiCorp Vault and AWS Secrets Manager answer "where do I store, rotate, and distribute secrets across services?" AVP answers a different question: "when an AI agent runs, which credentials can it access, and how is every access decision recorded?"

They are complementary. You can use a centralized secret manager to store and rotate credentials, then use AVP to control which of those credentials an agent can see at runtime.

How AVP fits in the stack

Centralized Secret Stores

Rotation, distribution, multi-service

HashiCorp Vault, AWS SM, .env
secrets retrieved

Host Environment / AVP Vault

Credentials available at runtime

Env vars or encrypted vault
agent spawned

AVP — Access Control + Audit

This is what AVP specifies
Encrypted vault (AES-256-GCM)
Allow / deny / redact per credential
Immutable audit trail
Session mgmt + revocation
filtered environment

AI Agent

Runs with scoped, audited access

Claude Code, Cursor, LangChain...

Why AVP matters

Depending on your role, AVP solves different problems.

For tool builders

Implement AVP once in your agent, IDE extension, or framework, and users get granular control over what secrets your tool can see. No proprietary permission systems needed — just YAML profiles and a simple pattern-matching algorithm.

For platform & security teams

AVP gives you encrypted-at-rest credential storage, immutable audit trails, session TTLs, and an emergency kill switch. Every access decision is logged before enforcement. Deploy agents in CI/CD, staging, or production with a compliance-ready audit trail.

For end users

Your credentials are encrypted, agent access is scoped to what's necessary, and you can see exactly what was accessed and when. If something goes wrong, you have a full audit trail and can revoke all agent sessions instantly.

What can AVP enable?

Real-world scenarios where AVP prevents credential exposure and gives you control.

Scoped coding assistants

Run Claude Code or Cursor with a profile that allows NODE_ENV but redacts all cloud credentials. If the agent is compromised or hallucinates a shell command, your AWS keys and database passwords are never exposed.

Audited CI/CD pipelines

Give AI agents in your build pipeline a 10-minute session at trust level 30 that allows only CI-specific variables. Every credential access is logged to an immutable audit trail — ready for compliance review or incident investigation.

Untrusted agents from marketplaces

Running a third-party agent or plugin you haven't vetted? Start with the restrictive profile (deny everything, 5-minute TTL). The agent gets system variables only. Gradually increase access as you build trust.

Emergency revocation

If an agent behaves unexpectedly, one command revokes all active sessions. SIGTERM is sent to every agent process, credential access is immediately cut, and the full audit trail shows exactly what was accessed before revocation.

Compliance-ready audit trails

Every credential access decision is logged before enforcement — session ID, agent ID, variable name, action taken, timestamp. Stored in append-only SQLite, queryable for incident response, SOC reviews, or regulatory audits.

Persistent agent memory

Agents build institutional knowledge across sessions — API rate limits, deployment patterns, project conventions — stored encrypted at rest. Keyword search retrieves relevant knowledge without re-discovering information every time.

Design principles

Six principles that guide every design decision in AVP.

1.

Local-first

All data stays on your machine. No network calls required. No cloud dependency.

2.

Deny by default

Credentials are denied unless explicitly allowed by a profile rule. Fail closed.

3.

Audit everything

Every access decision is logged before enforcement. Immutable, append-only trail.

4.

Simple to implement

The core algorithm — pattern matching with last-match-wins — is under 50 lines in any language.

5.

Framework-agnostic

Works with any agent, tool, or runtime that uses environment variables. Not tied to any vendor.

6.

Human-readable

Profiles are YAML. Audit logs are queryable SQL. Vault entries are structured JSON.

Threat model

What AVP protects against — and what it doesn't. Transparency builds trust.

AVP protects against

Agent reads forbidden credentials

Profile-based allow/deny/redact filters credentials before the agent sees them

Credentials exposed on disk

AES-256-GCM encryption at rest with scrypt key derivation and per-file random salts

No visibility into agent access

Immutable audit trail logs every decision before enforcement

Runaway agent sessions

TTL enforcement with automatic revocation and emergency kill switch

Redacted value correlation

Cryptographically random redaction tokens, unique per variable per session

Memory leaked via index files

Search operates entirely in-memory; no plaintext index written to disk

Vault file copied without key

Encrypted at rest; attacker must brute-force scrypt-derived key

AVP does NOT protect against

Compromised host OS

If an attacker has root access, they can read process memory or modify binaries. AVP relies on OS-level security.

Malicious agent with code execution

An agent could attempt to read /proc/self/environ or similar. Use OS sandboxing (seccomp, AppArmor) for high-security deployments.

Side-channel attacks on encryption

AES-256-GCM and scrypt are well-studied but AVP does not mandate constant-time implementations.

Brute-force of weak passphrases

scrypt provides computational resistance, but a weak passphrase remains vulnerable. Enforce minimum strength.

Local license tampering

License files are plaintext. A determined user can reset access counts. Use server-side tracking for high-value content.

Network attacks on SSE transport

Token-based auth is specified but TLS is required for production SSE deployments.

What AVP defines

Eight components working together to control, encrypt, audit, and revoke AI agent access.

Encrypted Vault

AES-256-GCM encrypted credential storage with scrypt key derivation and per-file random salts.

Permission Profiles

YAML-based rules with last-match-wins semantics. Three pattern types: wildcard, prefix, and exact.

Audit Trail

Immutable, append-only log of every credential access decision. Written before enforcement.

Session Management

UUID-tracked sessions with TTL enforcement, metadata injection, and instant revocation.

Encrypted Memory

Agent knowledge, query caches, and operational data. Keyword search with confidence scoring.

Portable Format

Self-contained .avault files with independent passphrases for secure vault transfer.

MCP Interface

11 Model Context Protocol tools for programmatic access to vault, memory, and audit.

Memory Banks

Distributable memory collections with licensing models: time-locked, access-limited, subscription.

Conformance levels

Implement what you need. Start with Core, grow to Full or Extended.

Level 1 — Core

Required

  • Profile schema and rule matching
  • Three-state access model (allow/deny/redact)
  • System variable passthrough
  • Audit trail logging
Level 2 — Full

Recommended

  • Everything in Level 1
  • Encrypted vault (random per-file salt)
  • Session management + revocation
  • Encrypted agent memory
  • Memory search algorithm
  • Standard directory structure
  • TTL enforcement
Level 3 — Extended

Optional

  • Everything in Level 2
  • Portable vault format (.avault)
  • Memory banks + licensing
  • MCP server interface
  • Graceful shutdown

Start building

Explore the protocol, learn the concepts, or jump straight into the spec.

Read the Specification

The complete AVP v1.0 standard

Getting Started

Learn the core concepts

View Examples

Ready-to-use permission profiles

Understand Concepts

Architecture and design principles

Contribute to AVP

Propose changes, report issues, or build on the reference implementation.

GitHub →

Known implementations

Tools and libraries that implement the AVP standard.

ImplementationLanguageLevelLink
AgentVaultTypeScriptLevel 3GitHub

Building an AVP-compliant tool? Open an issue to get listed.