Every employee will have an agent.
Are you ready?

The problem

One company vault. One personal vault per employee.

The company vault holds shared credentials — API keys, service accounts, database passwords. Scoped by team. Each employee's personal vault is theirs — their logins, their identity fields, encrypted with their own hardware key.

The company vault has no Identity fields. Nothing personal goes here. Personal vaults are private — the company cannot access them. By design. By math.

Scoped from day one

Open the web UI, create an agent or invite a team member, assign a scope. Each actor — human or agent — only sees entries in its scope. The vault checks every request, serves or denies. Stateless. Sub-millisecond.

The deploy agent cannot read dev credentials. The support bot cannot read deploy keys. The finance team sees Stripe but not GitHub. Your marketing hire sees the social media logins but not the production database. Each token encodes exactly which entries it can access — nothing more, nothing discoverable.

Scopes work the same for people and agents. A new employee gets a scope in the company vault that matches their role — engineering, finance, operations. They see what their role requires. When their role changes, the scope changes. The credentials don't.

People come and go. Credentials don't.

New hire starts Monday — create their personal vault, assign their role scopes, and they're working in minutes. No shared passwords to hand over, no onboarding document with "the Stripe key is in the shared Google Doc."

Someone leaves Friday — revoke their tokens across every shared vault in one click. Their personal vault goes with them. The credentials in the company vault never change. No rotation scramble. No "did we change the AWS key yet?" No weekend emergency.

This is the difference between password sharing and credential issuance. A shared password vault means every departure is a rotation event. Clavitor means every departure is a token revocation — instant, complete, and invisible to everyone else on the team.

Every access attributed

Every credential access is logged — which agent, which person, which credential, when, and from where. When a security review asks "who accessed the production database last Thursday," you have the answer in seconds. Not "someone with the shared password" — a name, a scope, a timestamp.

Password rotations are tracked the same way. When a credential changes, the audit trail records who triggered it and which agents picked up the new value. If a rotation breaks a deployment, you trace it to the exact change.

This runs always, across every vault. No configuration. No opt-in. The audit log is your compliance proof and your incident response tool.

Three tiers of encryption

The company vault holds only credential-tier fields. No identity data, no personal information, no cards or passports. Each employee's personal vault is theirs alone — encrypted with their own hardware key, invisible to the company admin. By design. By math.