MSP Tools
Your RMM already makes API calls.
Clavitor makes them safe.
Your technicians use Datto, N-able, and ConnectWise every day. Every script, every automation, every scheduled task needs credentials. Today they're in script variables, custom fields, or a shared vault everyone can read. The Clavitor proxy and CLI change that without changing your workflows.
The proxy pattern for RMM
Set HTTPS_PROXY on the endpoint and your existing scripts work unchanged. The proxy intercepts outbound HTTPS requests, resolves clavitor:// references in headers, and injects the real credential. Your script never sees the secret. Your RMM console never logs it.
# On the managed endpoint — one-time setup
$env:HTTPS_PROXY = "http://localhost:1983"
# Your existing automation scripts work unchanged
# The proxy resolves clavitor:// references in request headers
Invoke-RestMethod -Uri "https://api.openai.com/v1/models" `
-Headers @{ Authorization = "Bearer clavitor://OpenAI/key" }PowerShell
PowerShell is the MSP's daily language. Both the CLI and the proxy work natively.
CLI — single values
# Pipe directly — never stored in a variable clavitor-cli get "Client-Acme/Firewall" --field password | ` Set-FirewallCredential -Device "fw-acme-01" -PasswordFromPipe # Or use inline where piping isn't supported $cred = clavitor-cli get "Client-Acme/VPN" --field password Connect-VPN -Server vpn.acme.com -Password $cred Remove-Variable cred
# Template with clavitor:// references (safe to store in your RMM) clavitor-cli render monitoring-config.json | ` Set-Content -Path "C:\ProgramData\Monitor\config.json"
$env:HTTPS_PROXY = "http://localhost:1983"
# Every Invoke-RestMethod and Invoke-WebRequest now resolves clavitor://
Invoke-RestMethod -Uri "https://api.datto.com/v1/devices" `
-Headers @{ Authorization = "Bearer clavitor://Datto API/key" }Proxy — transparent injection
Atera
Atera scripts run on managed endpoints via the Atera agent. Store the Clavitor token as a custom field on the customer. Scripts shell out to the CLI at runtime.
# Atera script — credential never stored in Atera
$token = "{Custom Field: ClavitorToken}"
clavitor-cli init $token
# Resolve credentials per-run
clavitor-cli get "Client-Fox/Domain Admin" --field password | `
ForEach-Object { net user Administrator $_ /domain }ConnectWise Automate
Deploy the CLI via an Automate script. Use extra data fields to store the Clavitor agent token (not the credentials themselves). Scripts resolve credentials at runtime.
# ConnectWise Automate script # Token stored as an EDF — the only secret in Automate clavitor-cli init "%EDF_CLAVITOR_TOKEN%" # Credentials resolved from the vault, not from Automate $cred = clavitor-cli get "Client-Delta/Domain Admin" --field password Reset-ComputerMachinePassword -Credential $cred Remove-Variable cred
Datto RMM
Deploy the Clavitor CLI and proxy to managed endpoints via a Datto component. Scripts in your component library use clavitor:// references instead of hardcoded credentials.
Component setup
# Datto component: Install Clavitor CLI # Runs once per endpoint during onboarding $token = $env:CS_PROFILE_DATA # Token stored as a Datto site variable clavitor-cli init $token
# Before: credential in a Datto site variable (visible to all technicians) $apiKey = $env:CS_API_KEY # After: resolved from the vault (scoped per agent, audited) $apiKey = clavitor-cli get "Client API" --field key
# Datto monitor script — runs on schedule # The CLI is already initialized; credentials resolve at runtime $pass = clavitor-cli get "Backup Service" --field password Test-BackupHealth -Credential $pass Remove-Variable pass
Scheduled tasks
Kaseya VSA
Deploy the CLI via a Kaseya agent procedure. Store the agent token as a custom field on the organization. Procedures resolve credentials at execution time.
# Kaseya VSA agent procedure $token = "#vAgentConfiguration.ClavitorToken#" clavitor-cli init $token # Credentials resolved at runtime — not stored in Kaseya $key = clavitor-cli get "Client-Hotel/Backup API" --field key Start-BackupVerification -ApiKey $key Remove-Variable key
N-able N-central
Deploy the CLI via an N-able automation policy. Credentials are resolved at runtime from the vault instead of stored in N-able custom properties.
Automation policy
# N-able N-central script: resolve credentials at runtime # No secrets in N-able custom properties or script parameters $dbPass = clavitor-cli get "Client-Bcme/SQL Server" --field password Test-SqlConnection -Server sql.bcme.com -Password $dbPass Remove-Variable dbPass
# N-able probe monitoring script
# The probe runs the CLI locally — credentials never traverse the N-able cloud
clavitor-cli get "Monitoring API" --field key | `
ForEach-Object { Invoke-RestMethod "https://status.client.com/api/check" `
-Headers @{ "X-API-Key" = $_ } }Probe integration
N-able N-sight
N-sight (formerly SolarWinds RMM) runs automated tasks on endpoints. The same CLI pattern applies — store the token in a device-level custom property.
# N-able N-sight automated task $token = $env:CLAVITOR_TOKEN # Set as a device custom property clavitor-cli init $token clavitor-cli get "Client-India/SQL Backup" --field password | ` Backup-SqlDatabase -Server sql.india.com -PasswordFromPipe
NinjaOne
Deploy the CLI via a NinjaOne script. Store the agent token as a custom field on the organization — the only secret NinjaOne holds. Scripts resolve credentials at runtime.
# NinjaOne script — runs on managed endpoint $token = Ninja-Property-Get clavitorToken clavitor-cli init $token # Credentials resolved from the vault $pass = clavitor-cli get "Client-Echo/Firewall" --field password Set-FirewallConfig -Device "fw-echo-01" -AdminPassword $pass Remove-Variable pass
$env:HTTPS_PROXY = "http://localhost:1983"
Invoke-RestMethod -Uri "https://api.client.com/v1/status" `
-Headers @{ Authorization = "Bearer clavitor://Monitoring API/key" }Or use the proxy for API-based automations in NinjaOne scripting:
Pulseway
Pulseway runs PowerShell scripts on managed endpoints via its automation engine. Deploy the CLI during onboarding, store the token as a custom field.
# Pulseway automation workflow clavitor-cli init "$PulsewayCustomField_ClavitorToken" # Resolve credentials per execution $cred = clavitor-cli get "Client-Juliet/Exchange" --field password Test-ExchangeHealth -Server mail.juliet.com -Credential $cred Remove-Variable cred
Syncro
Syncro scripts and automated remediations can shell out to the CLI. Store the token as an asset custom field.
# Syncro script $token = $SyncroAssetCustomField.ClavitorToken clavitor-cli init $token # Resolve and pipe — never stored in Syncro's script variables clavitor-cli get "Client-Golf/VPN" --field password | ` Connect-VPN -Server vpn.golf.com -PasswordFromPipe
Why this matters for MSPs
Every RMM platform stores credentials somewhere — custom properties, site variables, extra data fields, script parameters. Every technician with console access can see them. Every breach of your RMM console exposes every client's credentials.
Clavitor moves the credentials out of the RMM. The RMM stores only the agent token (one per client). The token grants scoped access to that client's vault. A breach of your RMM console exposes tokens, not credentials — and each token is IP-whitelisted to the endpoint it was deployed on.
Scoped per client
Each client vault has its own agent token. Technician access is controlled by scope, not by "who can log into the RMM console."
Audited per script
Every credential access is logged — which script, which endpoint, which credential, when. Your clients can see the audit trail. You can prove who accessed what.
Revoked in one click
Client leaves? Revoke their agent token. Every endpoint stops resolving credentials immediately. No passwords to rotate, no custom properties to clear across 200 machines.
Stop storing credentials in your RMM.
One CLI. Every client. Every credential scoped, audited, and revocable.