Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.agent-vault.dev/llms.txt

Use this file to discover all available pages before exploring further.

Deploy

1

Install the Fly CLI and authenticate

Install flyctl using the official instructions, then log in:
fly auth login
2

Clone the repo and create the app

git clone https://github.com/infisical/agent-vault.git
cd agent-vault
fly launch --no-deploy
When prompted, keep the existing fly.toml configuration. The --no-deploy flag prevents deploying before secrets are set.
3

Set secrets

# Optional — omit for passwordless mode (DEK stored unwrapped on volume)
fly secrets set AGENT_VAULT_MASTER_PASSWORD=your-password
fly secrets set AGENT_VAULT_ADDR=https://your-app.fly.dev
VariableRequiredDescription
AGENT_VAULT_MASTER_PASSWORDNoDerives a KEK that wraps the data encryption key. Omit for passwordless mode.
AGENT_VAULT_ADDRRecommendedExternally-reachable base URL. Used for generating links in emails, invites, and discovery responses.
Agent Vault supports additional configuration for SMTP email notifications, Google OAuth, domain restrictions, and more. See Environment variables for the full reference.
4

Deploy

fly deploy
On first deploy, Fly will prompt you to create the persistent volume. If it doesn’t, create one manually:
fly volumes create agent_vault_data --region sjc --size 1
fly deploy
5

Register the owner

agent-vault auth register --address https://your-app.fly.dev
The first user to register becomes the instance owner with full admin privileges, auto-granted admin on the default vault.
6

Verify

fly status
curl https://your-app.fly.dev/health

Key details

  • Config: fly.toml exposes port 14321 via Fly’s HTTP service (force HTTPS, auto-stop/auto-start) and port 14322 via TCP passthrough for the transparent MITM proxy — the MITM listener’s own TLS cert handles the handshake, so Fly doesn’t terminate TLS on that port
  • Agent HTTPS_PROXY: https://<token>:<vault>@your-app.fly.dev:14322 — the root CA must be trusted by the agent’s HTTP client (fetch with agent-vault ca fetch --address https://your-app.fly.dev)
  • Entrypoint: scripts/docker-entrypoint.sh forwards arguments to the agent-vault binary, which natively reads AGENT_VAULT_MASTER_PASSWORD from the environment
  • Storage: Persistent volume agent_vault_data mounted at /data — all state is in a single SQLite file
  • Cold starts: min_machines_running defaults to 0, so the app scales to zero when idle. The first request after sleep incurs a few seconds of cold-start latency. Set it to 1 in fly.toml if you need always-on availability.
Changing the master password re-wraps the data encryption key without re-encrypting credentials. Use agent-vault master-password change while the server is stopped.