Skip to main content

Prerequisites

  • A running Agent Vault instance on a separate host from where Codex runs (see installation guide).
  • Codex installed.
  • An agent token from Agent Vault (create one under Agents → Add agent).
Install the Agent Vault CLI on the host or in the container image where Codex runs, and point it at your Agent Vault instance. The CLI bootstraps Codex’s environment so every outbound API call routes through Agent Vault for credential injection.

1. Install the Agent Vault CLI

Add the agent-vault binary to the environment where Codex runs.
curl --proto '=https' --proto-redir '=https' --tlsv1.2 -fsSL https://get.agent-vault.dev | sh

2. Set environment variables

The CLI reads these on launch to authenticate with Agent Vault and scope its session to the right vault.
export AGENT_VAULT_ADDR="http://<your-host>:14321"
export AGENT_VAULT_TOKEN="av_agt_xxx"
export AGENT_VAULT_VAULT="<VAULT_NAME>"

3. Run Codex under agent-vault

agent-vault run launches Codex with HTTPS_PROXY and HTTP_PROXY pre-set so both its HTTPS and plain HTTP calls route through Agent Vault for credential injection.
agent-vault run -- codex
agent-vault run also installs an Agent Vault skill at ~/.agents/skills/agent-vault-cli/SKILL.md that teaches Codex how to raise proposals when API access is needed. The skill persists across sessions.

Next steps

Agent protocol

Full request lifecycle end-to-end.

Services

Pre-configure services you know the agent will need.