Agent quickstart
This gets Claude Code or Cursor talking to a zero-knowledge vault: you register the agent, send it one command, and it sets itself up — installs the MCP server, starts the local daemon, registers its credentials. You never handle a key. The server never sees a secret.
Step 1 — Create your account ~1 min
Sign up (free) and set your vault passphrase. The passphrase encrypts everything client-side — we can't read your vault, which also means we can't reset it, so save the recovery codes it gives you.
Step 2 — Register your agent ~30 s
In the dashboard, choose Onboard an agent and give it a name (e.g. Claude_Code). You'll get a one-time onboarding message containing a single setup command with an embedded setup link. The link's passphrase lives in the URL fragment (#…) — browsers never transmit fragments, so the server never sees it either.
Step 3 — Send your agent the command ~2 min, the agent does the work
Paste the onboarding message into your agent's chat. It looks like this:
# Step 1: install the vault MCP server (skip if already installed)
npm install -g @wundervault/mcp-server
# Step 2: download and onboard (verifies script signature, burns this link)
curl -fsSL https://wundervault.com/onboard -o /tmp/wv-onboard.py \
&& python3 /tmp/wv-onboard.py "https://wundervault.com/setup/agent/<token>#<passphrase>"
The onboarding script is Ed25519-signed and self-verifying. It installs @wundervault/mcp-server from npm if missing, starts the local daemon (with a systemd unit so it survives reboots), registers the agent's credentials, burns the one-time link, and prints the MCP config values your agent needs for the last step.
Step 4 — Add the MCP config ~1 min
The onboarding output ends with the exact command and agent name. Wire it into your client:
Claude Code
claude mcp add wundervault \
-e WUNDERVAULT_AGENT_NAME=<YourAgentName> \
-- wundervault-mcp
Or add it to ~/.claude.json under mcpServers — Claude Code picks up changes automatically, no restart needed.
Cursor
Add to ~/.cursor/mcp.json (all projects) or .cursor/mcp.json in a project:
{
"mcpServers": {
"wundervault": {
"command": "wundervault-mcp",
"env": { "WUNDERVAULT_AGENT_NAME": "<YourAgentName>" }
}
}
}
Then reload MCP servers from Cursor's settings (Settings → MCP). The agent's auth token is auto-discovered from ~/.wundervault/agents/<name>.token — don't put it in the config file.
Step 5 — The moment it's for ~30 s
- In the dashboard, add a secret (an API key, a database password) and send it to your agent's vault. Your browser re-encrypts it with the agent's vault key before upload — the server stores a blob it cannot open.
- Ask your agent to use it: "fetch the
ProdDbPasswordentry from your vault and check the database connection." - The agent retrieves the encrypted entry, decrypts it locally, and uses it. With
vault_exec, the secret is injected straight into the process environment — the raw value never even enters the agent's context window.
That's the whole product: your agent just used a credential that neither our server, nor the model's context, ever saw in plaintext. Every retrieval is written to a tamper-evident audit log you can review in the dashboard.
Interested in a managed option?
Wundervault is free while we build. If you'd want a hosted tier with SLAs, teams, and support — leave an email and we'll tell you when it exists. Nothing else is sent, ever.