An open protocol for securing how AI agents access credentials, memory, and environment variables
Documentation | Specification | Discussions
New to AVP? Head over to the official website for an introduction and getting started guides.
This repository is home to the:
- Protocol specification for AVP v1.0
- JSON Schemas for all AVP data formats
- Reference permission profiles for common use cases
- Test vectors for implementer conformance verification
- Security policy and threat model
All schemas are published in JSON Schema format for cross-language compatibility. AVP includes an MCP server interface that allows agents to interact with vaults and memory programmatically.
Full documentation and guides are hosted at agentvaultprotocol.org.
- Read the Documentation for guides and tutorials
- Review the Specification for protocol details
- Explore the JSON Schemas for machine-readable data formats
- Try the reference implementation:
- AgentVault CLI + MCP Server (TypeScript) —
npm install -g agent-vault
- AgentVault CLI + MCP Server (TypeScript) —
AI agents run with full access to your credentials. There's no standard way to:
- Scope which secrets an agent can see
- Encrypt credentials at rest with per-file random salts
- Store agent memory securely with search and expiration
- Audit every credential and memory access decision
- Revoke agent access in real-time
- Redact sensitive values while preserving variable names
- Exchange vaults between tools via a portable format
AVP solves this with a framework-agnostic protocol.
The full protocol specification is available at agentvaultprotocol.org/specification.
| Document | Description |
|---|---|
| AVP v1.0 Specification | Full protocol specification |
| MCP Integration | Model Context Protocol specification (MCP server interface) |
| JSON Schemas | Machine-readable schemas for all data formats |
| Example Profiles | Sample permission profiles (restrictive, moderate, permissive) |
| Test Vectors | Reference inputs/outputs for implementers |
| Changelog | Version history |
| Concept | Description |
|---|---|
| Encrypted Vault | AES-256-GCM with scrypt key derivation, random salt per file |
| Memory Store | Encrypted agent memory with keyword search, confidence scoring, TTL |
| Permission Profile | YAML rules: allow / deny / redact, last-match-wins evaluation |
| Audit Trail | Immutable SQLite log of every access decision |
| Session | Bounded execution context with revocation support |
| Portable Vault | Self-contained .avault format for vault exchange |
| MCP Interface | 12 tools for credential and memory access via Model Context Protocol |
| Memory Banks | Packaged knowledge with licensing (unlimited, time-locked, access-limited) |
- Level 1 (Core): Profiles, access decisions, sandbox filtering, audit trail
- Level 2 (Full): Core + encrypted vault, sessions, revocation, TTL, encrypted memory, memory search, directory structure
- Level 3 (Extended): Full + portable vault format, memory banks, licensing, MCP server
All data formats have machine-readable JSON Schemas in schema/v1.0/:
| Schema | Purpose |
|---|---|
encrypted-envelope.schema.json |
AES-256-GCM encrypted data format |
vault-entry.schema.json |
Credential vault entry |
memory-entry.schema.json |
Memory store entry |
profile.schema.json |
Permission profile |
audit-entry.schema.json |
Audit log entry |
session.schema.json |
Session lifecycle |
portable-vault.schema.json |
Portable vault (.avault) format |
memory-portable.schema.json |
Portable memory format |
mcp-response.schema.json |
MCP tool response contract |
bank-descriptor.schema.json |
Memory bank metadata |
license-descriptor.schema.json |
Bank license terms |
| Implementation | Type | Install |
|---|---|---|
| AgentVault | CLI + MCP Server (TypeScript) | npm install -g agent-vault |
Building an AVP-compliant tool? Open a PR to add it to this list.
See SECURITY.md for vulnerability reporting, threat model, and responsible disclosure process.
See CONTRIBUTING.md for how to propose changes to the specification.
This specification is released under the MIT License.