{{define "claude-code"}}

Integration Guide

Clavitor + Claude Code

Give Claude Code secure, scoped access to credentials. Every secret stays encrypted until the moment it's needed — and your AI never sees what it shouldn't.

How it works

Claude Code calls the Clavitor CLI to fetch credentials. Each agent token is scoped — it can only access entries you've explicitly allowed. No vault browsing, no discovery, no surprise access.

Credential Encryption

Claude can read

API keys, SSH keys, OAuth tokens, TOTP secrets. Encrypted at rest, decryptable by the vault. Claude fetches what it's scoped to via the CLI.

Identity Encryption

Claude cannot read

Passport numbers, credit cards, private signing keys. Encrypted client-side with WebAuthn PRF. The server cannot decrypt them. Neither can Claude. Math, not policy.

Setup

1

Create a scoped agent token

From the Clavitor web UI or CLI, create a token scoped to the entries Claude needs.

$ clavitor token create --scope dev --name "Claude Code"
Token: ctk_dev_a3f8...
2

Use credentials in Claude Code

Claude calls the CLI directly. The token restricts access to the dev scope only.

# Claude fetches a GitHub token
$ clavitor get github.token --agent dev
ghp_a3f8...
# Claude tries to access something outside its scope
$ clavitor get stripe.secret --agent dev
Error: access denied (scope: dev)
3

TOTP generation

Store TOTP secrets as Credential fields. Claude generates time-based 2FA codes on demand.

$ clavitor totp github --agent dev
284919 (expires in 14s)

Why not MCP?

MCP gives the agent access to the vault — search, list, browse. That's too much. Clavitor's CLI gives the agent exactly the credentials it's scoped to. Nothing more. No browsing, no discovery.

Multiple agents, different scopes

Create separate tokens for different contexts. Your deploy agent sees Vercel keys. Your code agent sees GitHub tokens. Neither sees your personal credentials.

$ clavitor token create --scope deploy --name "CI pipeline"
$ clavitor token create --scope social --name "Social bot"
$ clavitor token create --scope dev --name "Claude Code"

Three-tier encryption. Scoped access. Your AI gets what it needs — nothing more.

Get hosted — $20 $12/yr Self-host free →
{{end}} {{define "codex"}}

Integration Guide

Clavitor + OpenAI Codex

Connect Codex to your vault via the CLI. Scoped tokens, TOTP generation, field-level encryption. Your Codex agent gets exactly what it needs.

How it works

Codex calls the Clavitor CLI to fetch credentials and generate 2FA codes. Each token is scoped — Codex only sees entries you've explicitly allowed.

Setup

1

Install Clavitor

$ curl -fsSL clavitor.com/install.sh | sh
2

Create a scoped token for Codex

$ clavitor token create --scope codex --name "Codex agent"
Token: ctk_codex_7b2e...
3

Fetch credentials from Codex

$ clavitor get openai.api_key --agent codex
sk-proj-...
$ clavitor totp aws --agent codex
739201 (expires in 22s)

Three-tier encryption

Vault Encryption

Entire vault encrypted at rest. AES-256-GCM.

Credential Encryption

Per-field. Codex can read these via scoped CLI tokens.

Identity Encryption

Per-field. Client-side. WebAuthn PRF. Nobody can read these — not Codex, not us.

Scoped access for every agent. Your secrets stay yours.

Get hosted — $20 $12/yr Self-host free →
{{end}} {{define "openclaw"}}

Integration Guide

Clavitor + OpenClaw

Multi-agent credential management. Give your OpenClaw agents scoped access to credentials. Each agent sees only what it needs.

The problem with multi-agent credential access

When you run multiple OpenClaw agents — a deploy agent, a monitoring agent, a social agent — they all need different credentials. Sharing one vault key means every agent sees everything. A compromised deploy agent exposes your personal data.

Clavitor solves this

Create a separate scoped token per agent. Each token can only access its designated entries. Compromise one, the rest stay clean.

One vault. Five agents. Five scopes.

# Deploy agent — Vercel, Netlify, AWS
$ clavitor token create --scope deploy --name "OC Deploy"

# Monitor agent — Datadog, PagerDuty
$ clavitor token create --scope monitor --name "OC Monitor"

# Social agent — Twitter, Discord
$ clavitor token create --scope social --name "OC Social"

# Finance agent — Stripe, Plaid
$ clavitor token create --scope finance --name "OC Finance"

# Code agent — GitHub, GitLab
$ clavitor token create --scope dev --name "OC Dev"

In your OpenClaw configuration

Each agent calls the CLI with its own token. The vault enforces scope boundaries — no agent can escalate.

# Inside the deploy agent's workflow
$ VERCEL_TOKEN=$(clavitor get vercel.token --agent deploy)
$ vercel deploy --token $VERCEL_TOKEN
# Deploy agent tries to read social credentials
$ clavitor get twitter.oauth --agent deploy
Error: access denied (scope: deploy)

Identity Encryption: the hard boundary

Credential fields are readable by scoped agents. But Identity fields — passport numbers, credit cards, private signing keys — are encrypted client-side with WebAuthn PRF. No agent, no server, no court order can decrypt them. The key never leaves your device.

Multi-agent. Scoped. Encrypted. Built for autonomous workflows.

Get hosted — $20 $12/yr Self-host free →
{{end}} {{define "openclaw-cn"}}

集成指南

Clavitor + OpenClaw

多智能体凭据管理。为每个 OpenClaw 智能体提供独立的、范围限定的凭据访问权限。每个智能体只能看到它需要的内容。

多智能体凭据访问的问题

当您运行多个 OpenClaw 智能体时——部署智能体、监控智能体、社交智能体——它们都需要不同的凭据。共享一个密钥库密钥意味着每个智能体都能看到所有内容。一个被入侵的部署智能体会暴露您的个人数据。

Clavitor 解决方案

为每个智能体创建独立的范围限定令牌。每个令牌只能访问其指定的条目。一个被入侵,其余安全无虞。

一个密钥库。五个智能体。五个范围。

# 部署智能体 — Vercel, Netlify, AWS
$ clavitor token create --scope deploy --name "OC 部署"

# 监控智能体 — Datadog, PagerDuty
$ clavitor token create --scope monitor --name "OC 监控"

# 社交智能体 — Twitter, Discord
$ clavitor token create --scope social --name "OC 社交"

# 财务智能体 — Stripe, Plaid
$ clavitor token create --scope finance --name "OC 财务"

# 代码智能体 — GitHub, GitLab
$ clavitor token create --scope dev --name "OC 开发"

三层加密

密钥库加密

整个密钥库静态加密。AES-256-GCM。

凭据加密

逐字段加密。智能体可通过范围限定的 CLI 令牌读取。

身份加密

逐字段加密。客户端加密。WebAuthn PRF。没有人能读取——智能体不能,我们也不能。

身份加密:硬边界

凭据字段可由范围限定的智能体读取。但身份字段——护照号码、信用卡、私钥——使用 WebAuthn PRF 在客户端加密。没有任何智能体、服务器或法院命令可以解密它们。密钥永远不会离开您的设备。

多智能体。范围限定。加密。为自主工作流构建。

托管服务 — $20 $12/年 免费自托管 →
{{end}}