Skip to main content
Vaults let the OneCLI gateway fetch credentials directly from your password manager at request time, without storing them on the server.

How vaults work

When an agent makes an HTTPS request and no server-stored secret matches the target host, the gateway checks if the user has a paired vault. If so, it asks the vault for a credential by domain, injects it into the request, and caches it briefly in memory. 
Agent ──► Gateway ──► Secret Store (check DB secrets)

                │  no match

          Password Manager (fetch credential)


          Gateway ──► External Service (inject + forward)
Credentials never hit disk or the database. They’re cached in gateway memory for 60 seconds, then discarded.

Vaults vs server-stored secrets

Server-stored secretsVault credentials
StorageEncrypted in databaseStay in your password manager
PriorityChecked firstFallback when no DB secret matches
SetupAdd via dashboardOne-time pairing with the vault app
RotationManual update in dashboardAutomatic (always reads latest from vault)
Use server-stored secrets for stable, shared credentials. Use vaults for personal credentials, frequently rotated keys, or when you don’t want secrets leaving your password manager.

Supported providers

Bitwarden

Connect your Bitwarden vault via the Agent Access SDK. Credentials are fetched through an encrypted Noise protocol channel.
More providers (1Password, etc.) are planned.