MailgentMailgent
Concepts

Vault

Encrypted credential store for agent secrets

The Vault stores third-party credentials (API keys, OAuth tokens, database passwords, etc.) that your agent needs at runtime. Credentials are encrypted at rest using AES-256-GCM.

How It Works

Store:   User adds credential → Server encrypts with master key → Stores ciphertext
Retrieve: Agent calls vault.get → Server decrypts → Returns plaintext to agent

The server encrypts/decrypts using a master key (VAULT_MASTER_KEY). Credentials are never stored in plaintext.

Credential Types

TypeSecret FieldsMetadata
LOGINpassworduri, username
API_KEYkeyservice, prefix
OAUTHaccessToken, refreshTokenprovider, scopes, expiresAt
TOTPsecret (base32 seed)issuer, account, algorithm
SSH_KEYprivateKey, passphrasepublicKey, keyType
DATABASEpassword, connectionStringengine, host, port, database
SMTPpasswordhost, port, username, encryption
AWSsecretAccessKey, sessionTokenaccessKeyId, region
CERTIFICATEprivateKeycertificate, chain, domain, expiresAt
CUSTOMany key-value pairsany key-value pairs

Each credential is stored as one encrypted JSON blob. Secret fields go in data (encrypted), non-secret fields go in metadata (plaintext, for display).

Scopes

ScopeAllows
vault:readList credentials, retrieve decrypted values
vault:writeStore, update, and delete credentials

MCP Tools

ToolScopeDescription
vault.listvault:readList all credentials (metadata only)
vault.getvault:readGet decrypted credential by name
vault.storevault:writeStore or update a credential
vault.deletevault:writeDelete a credential

API Endpoints

MethodPathScopeDescription
GET/v0/vaultvault:readList credentials (metadata)
GET/v0/vault/:namevault:readGet decrypted credential
PUT/v0/vault/:namevault:writeStore/update credential
DELETE/v0/vault/:namevault:writeDelete credential

Example: Store an API Key

curl -X PUT https://api.mailgent.dev/v0/vault/stripe \
  -H "Authorization: Bearer mgent-your-api-key" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "API_KEY",
    "data": { "key": "sk_live_abc123..." },
    "metadata": { "service": "stripe", "prefix": "sk_live_...c123" }
  }'

Example: Retrieve a Credential

curl https://api.mailgent.dev/v0/vault/stripe \
  -H "Authorization: Bearer mgent-your-api-key"

Returns the decrypted data along with metadata.

Security

  • Encrypted at rest — AES-256-GCM with authenticated encryption
  • Per-credential IV — each credential has its own random initialization vector
  • Tamper-proof — GCM auth tag prevents ciphertext modification
  • Scoped access — credentials are isolated per identity
  • Usage trackinglastUsedAt updated on every retrieval

Scopes

Permission scopes for API access

Claude Code

Connect Mailgent to Claude Code

On this page

How It WorksCredential TypesScopesMCP ToolsAPI EndpointsExample: Store an API KeyExample: Retrieve a CredentialSecurity