CLIENT.ENCRYPTED SERVER.BLIND AGENT.NATIVE
v0.22.9-05f706c-eeaab9c8
// AGENT-NATIVE SECRETS
▸ Under 5 minutes, one command

Agent quickstart

This gets Claude Code or Cursor talking to a zero-knowledge vault: you register the agent, send it one command, and it sets itself up — installs the MCP server, starts the local daemon, registers its credentials. You never handle a key. The server never sees a secret.

Step 1 — Create your account ~1 min

Sign up (free) and set your vault passphrase. The passphrase encrypts everything client-side — we can't read your vault, which also means we can't reset it, so save the recovery codes it gives you.

Step 2 — Register your agent ~30 s

In the dashboard, choose Onboard an agent and give it a name (e.g. Claude_Code). You'll get a one-time onboarding message containing a single setup command with an embedded setup link. The link's passphrase lives in the URL fragment (#…) — browsers never transmit fragments, so the server never sees it either.

Step 3 — Send your agent the command ~2 min, the agent does the work

Paste the onboarding message into your agent's chat. It looks like this:

# Step 1: install the vault MCP server (skip if already installed)
npm install -g @wundervault/mcp-server

# Step 2: download and onboard (verifies script signature, burns this link)
curl -fsSL https://wundervault.com/onboard -o /tmp/wv-onboard.py \
  && python3 /tmp/wv-onboard.py "https://wundervault.com/setup/agent/<token>#<passphrase>"

The onboarding script is Ed25519-signed and self-verifying. It installs @wundervault/mcp-server from npm if missing, starts the local daemon (with a systemd unit so it survives reboots), registers the agent's credentials, burns the one-time link, and prints the MCP config values your agent needs for the last step.

Step 4 — Add the MCP config ~1 min

The onboarding output ends with the exact command and agent name. Wire it into your client:

Claude Code

claude mcp add wundervault \
  -e WUNDERVAULT_AGENT_NAME=<YourAgentName> \
  -- wundervault-mcp

Or add it to ~/.claude.json under mcpServers — Claude Code picks up changes automatically, no restart needed.

Cursor

Add to ~/.cursor/mcp.json (all projects) or .cursor/mcp.json in a project:

{
  "mcpServers": {
    "wundervault": {
      "command": "wundervault-mcp",
      "env": { "WUNDERVAULT_AGENT_NAME": "<YourAgentName>" }
    }
  }
}

Then reload MCP servers from Cursor's settings (Settings → MCP). The agent's auth token is auto-discovered from ~/.wundervault/agents/<name>.token — don't put it in the config file.

Step 5 — The moment it's for ~30 s

  1. In the dashboard, add a secret (an API key, a database password) and send it to your agent's vault. Your browser re-encrypts it with the agent's vault key before upload — the server stores a blob it cannot open.
  2. Ask your agent to use it: "fetch the ProdDbPassword entry from your vault and check the database connection."
  3. The agent retrieves the encrypted entry, decrypts it locally, and uses it. With vault_exec, the secret is injected straight into the process environment — the raw value never even enters the agent's context window.

That's the whole product: your agent just used a credential that neither our server, nor the model's context, ever saw in plaintext. Every retrieval is written to a tamper-evident audit log you can review in the dashboard.

Don't take the zero-knowledge claim on faith: the verify page shows you how to catch us lying in 60 seconds with browser DevTools, or at your own network boundary with mitmproxy.

Interested in a managed option?

Wundervault is free while we build. If you'd want a hosted tier with SLAs, teams, and support — leave an email and we'll tell you when it exists. Nothing else is sent, ever.