Integration Guide
Give Claude Code secure, scoped access to credentials. Every secret stays encrypted until the moment it's needed β and your AI never sees what it shouldn't.
Claude Code calls the Clavitor CLI to fetch credentials. Each agent token is scoped β it can only access entries you've explicitly allowed. No vault browsing, no discovery, no surprise access.
Credential Encryption
API keys, SSH keys, OAuth tokens, TOTP secrets. Encrypted at rest, decryptable by the vault. Claude fetches what it's scoped to via the CLI.
Identity Encryption
Passport numbers, credit cards, private signing keys. Encrypted client-side with WebAuthn PRF. The server cannot decrypt them. Neither can Claude. Math, not policy.
In the Clavitor web UI, create an agent scoped to the entries Claude needs. Copy the setup token.
Claude calls the CLI directly. The token restricts access to the dev scope only.
Store TOTP secrets as Credential fields. Claude generates time-based 2FA codes on demand.
Credentials are encrypted in the vault β they need to be decrypted locally by the CLI. An MCP server can't do that. The CLI decrypts on your machine, returns the plaintext, and nothing sensitive ever passes through a third-party protocol layer. Scoping handles the rest: each agent only sees entries it's been granted.
Create agents in the web UI β each with its own scope. Your deploy agent sees Vercel keys. Your code agent sees GitHub tokens. Neither sees your personal credentials.
Three-tier encryption. Scoped access. Your AI gets what it needs β nothing more.
Get hosted —