Integration Guide
Clavitor + Claude Code
Give Claude Code secure, scoped access to credentials. Every secret stays encrypted until the moment it's needed — and your AI never sees what it shouldn't.
How it works
Claude Code calls the Clavitor CLI to fetch credentials. Each agent token is scoped — it can only access entries you've explicitly allowed. No vault browsing, no discovery, no surprise access.
Credential Encryption
Claude can read
API keys, SSH keys, OAuth tokens, TOTP secrets. Encrypted at rest, decryptable by the vault. Claude fetches what it's scoped to via the CLI.
Identity Encryption
Claude cannot read
Passport numbers, credit cards, private signing keys. Encrypted client-side with WebAuthn PRF. The server cannot decrypt them. Neither can Claude. Math, not policy.
Setup
Create a scoped agent
In the Clavitor web UI, create an agent scoped to the entries Claude needs. Copy the setup token.
Use credentials in Claude Code
Claude calls the CLI directly. The token restricts access to the dev scope only.
TOTP generation
Store TOTP secrets as Credential fields. Claude generates time-based 2FA codes on demand.
Why not MCP?
Credentials are encrypted in the vault — they need to be decrypted locally by the CLI. An MCP server can't do that. The CLI decrypts on your machine, returns the plaintext, and nothing sensitive ever passes through a third-party protocol layer. Scoping handles the rest: each agent only sees entries it's been granted.
Multiple agents, different scopes
Create agents in the web UI — each with its own scope. Your deploy agent sees Vercel keys. Your code agent sees GitHub tokens. Neither sees your personal credentials.
Three-tier encryption. Scoped access. Your AI gets what it needs — nothing more.
Get hosted — $12/yr