Skip to main content

Prerequisites

  • A running Agent Vault instance on a separate host from where OpenCode runs (see installation guide).
  • OpenCode installed.
  • An agent token from Agent Vault (create one under Agents → Add agent).
Install the Agent Vault CLI on the host or in the container image where OpenCode runs, and point it at your Agent Vault instance. The CLI bootstraps OpenCode’s environment so every outbound API call routes through Agent Vault for credential injection.

1. Install the Agent Vault CLI

Add the agent-vault binary to the environment where OpenCode runs.
curl --proto '=https' --proto-redir '=https' --tlsv1.2 -fsSL https://get.agent-vault.dev | sh

2. Set environment variables

The CLI reads these on launch to authenticate with Agent Vault and scope its session to the right vault.
export AGENT_VAULT_ADDR="http://<your-host>:14321"
export AGENT_VAULT_TOKEN="av_agt_xxx"
export AGENT_VAULT_VAULT="<VAULT_NAME>"

3. Run OpenCode under agent-vault

agent-vault run launches OpenCode with HTTPS_PROXY and HTTP_PROXY pre-set so both its HTTPS and plain HTTP calls route through Agent Vault for credential injection.
agent-vault run -- opencode
agent-vault run also installs an Agent Vault skill at ~/.opencode/skills/agent-vault-cli/SKILL.md that teaches OpenCode how to raise proposals when API access is needed. The skill persists across sessions.

Next steps

Agent protocol

Full request lifecycle end-to-end.

Services

Pre-configure services you know the agent will need.