Credential Vault
A credential vault is an encrypted storage system that keeps API keys, passwords, and tokens separate from the agent server. The agent never directly handles your credentials.
What is credential vault?
A credential vault is a security system that stores sensitive authentication data (API keys, passwords, OAuth tokens, service accounts) in an encrypted, access-controlled location that is physically separate from the systems that use those credentials. Instead of storing a password on the same server that needs it, the vault holds the password and provides it only when needed, through a controlled and auditable process.
In the context of AI agents, credentials are especially sensitive. An AI agent typically needs access to multiple services: email providers, calendar systems, CRM platforms, code repositories, and more. Without a credential vault, all of these passwords and API keys sit in plaintext configuration files on the agent's server. If the server is compromised, every credential is immediately exposed.
A credential vault eliminates this risk by ensuring credentials never exist on the agent server at all. The agent makes requests through a secure proxy that injects the appropriate credentials at the network layer. Even if someone gained full access to the agent's server, there would be no credentials to steal.
Why it matters
Credentials are the keys to your digital kingdom. A single leaked API key can give an attacker access to your email, calendar, financial accounts, customer data, and more. For AI agents, the risk is amplified because agents typically need access to many services simultaneously, creating a concentration of credentials in one place.
Traditional self-hosted setups store all credentials in environment files on the agent server. This means a single point of compromise exposes everything. A credential vault breaks this pattern by separating credential storage from credential usage, so no single system holds both the agent and all its keys.
How ClawTrust handles this
ClawTrust stores all credentials in an encrypted vault on the control plane, completely separate from your agent's server. When your agent needs to access a service, the request is proxied through the control plane, which injects the credential at the network layer. Your agent never sees, handles, or stores your passwords. You manage credentials through the ClawTrust dashboard, where they are encrypted before storage. Even in the unlikely event of a full server compromise, there are zero credentials on the agent server to steal.
Related terms
Zero Trust Hosting
Zero trust hosting is a security model where every server has zero open inbound ports, uses outbound-only encrypted networking, and requires verification for every connection.
Disk Encryption
Disk encryption protects all data stored on a server by encrypting the entire disk with LUKS2. If someone physically accesses the drive, the data is unreadable without the encryption key.
Encrypted Tunnels
Encrypted tunnels are outbound-only, encrypted network connections that replace traditional SSH and VPN access. The server connects outward, so no ports need to be open for incoming traffic.
Frequently asked questions
Where are my credentials actually stored?
Your credentials are stored in an encrypted vault on the ClawTrust control plane, which is separate infrastructure from your agent's server. They are encrypted before storage and only decrypted at the moment they are needed for a request.
Can the AI agent see my passwords?
No. Credentials are injected at the proxy layer when the agent makes a request to an external service. The agent itself never receives, processes, or stores your actual passwords or API keys.
What happens if the agent server is compromised?
Because credentials are not stored on the agent server, a compromise would not expose any of your passwords, API keys, or tokens. The attacker would find no credentials to steal.
How do I add or update credentials?
You manage all credentials through the ClawTrust dashboard. Adding a new credential is as simple as selecting the service, entering the key, and saving. The dashboard encrypts it and stores it in the vault. Your agent can use it immediately.
Is this different from storing credentials in environment variables?
Yes, fundamentally. Environment variables store credentials as plaintext on the same server as the agent. The credential vault stores them encrypted on separate infrastructure. The agent never has direct access to the raw credential values.
Explore further
See it in action
ClawTrust implements credential vault automatically. Your agent is live in under 5 minutes.