Prompt context can repeat secrets.
A credential copied into prompt context can be repeated, transformed, logged, or leaked by a compromised model path.
A conventional secret manager protects stored credentials. Vault is built for agent systems where the requester may be a model, tool, workflow, or automated runtime. The credential should be used through a governed access path, not copied into prompt text, tool context, logs, or model-visible memory.
Agents request capability. Vault protects the credential.
Agent systems do not only call models. They touch APIs, tools, servers, accounts, files, workflows, and customer systems. If credentials are placed into model context or tool-visible memory, a prompt injection, compromised tool, or unsafe continuation can turn access material into exfiltration material.
A credential copied into prompt context can be repeated, transformed, logged, or leaked by a compromised model path.
A tool that receives raw credentials can pass them through logs, callbacks, retries, error messages, or unsafe downstream calls.
An agent runtime with broad credential access can convert a small instruction into a high-impact action.
Vault is designed to represent the access material agents and AI workflows need to use without seeing raw: API keys, service tokens, SSH keys, certificates, license keys, payment credentials, environment variables, usernames and passwords, server logins, remote access credentials, identity forms, sensitive documents, financial account data, address and profile data, named credential slots, and operation-scoped material where supported.
Each object carries enough identity to be requested safely: a name, owner, scope, system, or workflow reference. The protected value remains masked, encrypted, or released only in governed form.
Vault’s architecture targets zero-knowledge server storage: encrypted ciphertext on the server, decryption controlled by device-bound keys, and no plaintext credential value stored server-side.
Credential values are represented as encrypted material rather than server-readable plaintext.
The decryption boundary is kept close to the trusted device or runtime that holds the key material.
Receipts record access decisions and outcomes, not the credential value itself.
MCP Access Pass is the agent-facing interface to Vault where supported. Agents request credential use through named tools, submit approval codes when required, and receive governed material instead of raw secrets.
MCP Access Pass is designed so agent-access tools follow the same request, approval, release, and receipt path instead of exposing a direct route to raw credentials. The access pass identifies the slot and requested use; Vault keeps the protected value behind the boundary.
Vault treats credential use as an authorization event. The requester must declare what it wants to access, where the request came from, which tool or workflow will use it, and why the access is needed.
The agent or workflow requests a named credential slot and declares intent, origin, tool, workflow, and scope.
Vault checks origin constraints, allowed use, scope, policy state, and risk signals before release.
High-risk access can require a time-limited approval challenge or human confirmation where configured.
Vault releases governed material for the specific use, not a raw credential placed into model context.
The access decision is recorded without including the credential value.
When access is allowed, Vault can provide a governed form of use: encrypted material, a short-lived derived token, or a signed payload for a specific operation. The point is to let the work continue without turning the credential into model-visible text.
An encrypted form of credential material can be released for the runtime that is allowed to use it, without turning the value into prompt-visible text.
A derived token can be scoped to a short window and specific context so access does not become a standing credential in the agent path.
A signed payload can authorize a specific operation while keeping the underlying credential outside model context.
Vault should not sit beside Gateway and Sentinel as an unmanaged side channel. Credential requests, provider access, sensitive-data screening, and execution decisions need to line up across the same operating path.
Gateway gives model-provider calls one operating layer. Vault adds protected access to the credentials and execution rights those calls may require.
PriviShield reduces sensitive-data exposure before credential-backed context or provider-bound content moves further through the runtime.
Sentinel can evaluate access risk, pathway context, and control state before sensitive material is released or an action continues where enabled.
Vault evidence should explain what happened without becoming the thing it is protecting. Receipts can show that access was requested, approved, denied, expired, or released in governed form, without storing the credential value itself.
Evidence should let an operator understand who requested access, which slot was involved, what policy or risk state applied, what material type was released, and which outcome was recorded.
The receipt boundary is deliberately narrow: explain the access decision without storing or displaying credential values.
Vault is built for agent systems where access is needed but raw secrets should not become model-visible text. Agents request capability. Vault protects the credential. Sentinel controls the decision path.