Integrations
Every tool and secret your agents touch, gated in one place.
Gate the tools your agents already use.
Every connected tool is brokered through the same task model: the same approval, the same audit line, the same scoped credentials.
Credential vault
Add any key or secret. Agents use it, never see it.
Anything an agent needs to authenticate goes in the vault: API keys, OAuth tokens, database passwords, SSH keys, webhook signing secrets, even your own internal service tokens. Clawvisor stores each one encrypted and hands the agent a scoped, short-lived handle in its place.
Add the secret once
Paste an API key or connect a tool via OAuth. It's encrypted in the vault the moment it lands, and nothing else ever needs a copy.
The agent gets a handle
Not the key: an opaque, scoped, short-lived pointer that's useless on its own and outside the task it was issued for.
Injected at call time
When an approved call goes out, the gateway swaps the handle for the real secret at the edge, so it never enters the model's context, the tool transcript, or your logs.
Rotate anytime
Rotate or revoke the underlying secret in the vault and every handle keeps working. There's no agent code or config to touch.
Credentials
Agents never hold your secrets.
The agent only ever holds a scoped, short-lived handle. The real token stays in the vault, and Clawvisor injects it only at the moment of an approved call. Go ahead: reveal it. The model never can.
What the agent receives
non-sensitiveA pointer, not a key. Useless on its own and outside its scope.
↑ stands in for ↓
The real GitHub API key
vaultedghp_Rk8f2Kd9mPq2RxN4vTb7Lc3Wj••••••••••Stored in the vault. Injected only at the moment of an approved call.
Put a gateway in front of every tool.
Start with the open-source core, or talk to us about a managed deployment with the controls your team needs.