The Vault

The Vault is FaynOS's encrypted local secret store. API keys, tokens, and passwords live in the Vault — never hardcoded in agent code or FPK files.

How it works

Secrets are stored encrypted at rest using AES-256-GCM, keyed to your device. When an agent calls ctx.vault.get('MY_KEY'), the Vault:

Decrypts the secret inside the kernel process
Passes the decrypted value into the JS sandbox via a one-time handle
The raw string is only accessible inside that isolate's execution context
After the run completes, the handle is destroyed

The raw secret value is never written to disk, never appears in run logs, and never leaves the device. This is enforced at the kernel level regardless of what agent code does.

Managing secrets

Secrets are managed from the Vault panel in the FaynOS sidebar. You can add, rename, and delete secrets. Secret values are not shown after creation.

Agent declarations

Agents that need Vault access must declare the secret names they require in the FPK:

"vault_keys": ["OPENAI_API_KEY", "GITHUB_PAT"]

FaynOS will prompt the user to confirm Vault access for these keys the first time the agent runs. If a declared key is missing from the user's Vault, the run fails with a clear error before execution begins.

Capability profile requirement

Vault access requires at least STANDARD capability profile. RESTRICTED agents cannot access the Vault.

← Previous

SDK

Publishing