Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.agent-vault.dev/llms.txt

Use this file to discover all available pages before exploring further.

For the basic docker run command and first-time setup, see Installation. This page covers Docker-specific configuration, Compose, and image details.

Build from source

make docker
This runs a multi-stage build:
  1. node:22-alpine — builds the React/Vite frontend
  2. golang:1.25-alpine — compiles the Go binary with the embedded frontend
  3. alpine:3.21 — minimal runtime image
The final image runs as non-root user agentvault (UID 65532) and includes a built-in health check at GET /health.

Configuration

Expose both the HTTP API (14321) and the transparent HTTPS proxy (14322) so agents’ HTTPS_PROXY can reach the broker. Pass the master password via environment variable to wrap the data encryption key (DEK): 
docker run -it -p 14321:14321 -p 14322:14322 \
  -v agent-vault-data:/data \
  -e AGENT_VAULT_MASTER_PASSWORD=your-password \
  -e AGENT_VAULT_ADDR=https://agent-vault.example.com \
  infisical/agent-vault
Omit AGENT_VAULT_MASTER_PASSWORD for passwordless mode — the DEK is stored unwrapped, relying on volume access controls for security. Fetch the root CA from the running container so agents outside Docker trust the proxied TLS handshake: 
# The /v1/mitm/ca.pem endpoint is public — no auth required
curl -O http://localhost:14321/v1/mitm/ca.pem
See transparent proxy setup for installing the CA into client trust stores.
VariableRequiredDescription
AGENT_VAULT_MASTER_PASSWORDNoDerives a KEK that wraps the data encryption key. If omitted, runs in passwordless mode.
AGENT_VAULT_ADDRRecommendedExternally-reachable base URL. Defaults to http://localhost:14321. Used for generating links in emails, invites, and discovery responses.
Never put AGENT_VAULT_MASTER_PASSWORD in your Dockerfile or a committed .env file. Use Docker secrets or your orchestrator’s secret management instead.
Agent Vault supports additional configuration for SMTP email notifications, Google OAuth, domain restrictions, and more. See Environment variables for the full reference.

Docker Compose

docker-compose.yml
services:
  agent-vault:
    image: infisical/agent-vault
    ports:
      - "14321:14321"
      - "14322:14322"
    volumes:
      - agent-vault-data:/data
    environment:
      - AGENT_VAULT_MASTER_PASSWORD=${AGENT_VAULT_MASTER_PASSWORD}
    healthcheck:
      test: ["CMD", "wget", "-q", "--spider", "http://localhost:14321/health"]
      interval: 30s
      timeout: 5s
      retries: 3

volumes:
  agent-vault-data:
Start it: 
export AGENT_VAULT_MASTER_PASSWORD=your-password
docker compose up -d
The health check uses wget because the minimal Alpine image does not include curl. If you swap to a different base image, adjust accordingly.

Volume and persistence

All state lives in a single SQLite database at /data/.agent-vault/agent-vault.db. The Docker image declares VOLUME /data, so data survives container restarts as long as you mount a named volume or host path.
Changing the master password re-wraps the data encryption key without re-encrypting credentials. Use agent-vault master-password change while the server is stopped.