toani Vault
Zero-trust credential vault for AI Agents. Plaintext credentials never leave the TEE hardware security environment.
What is toani Vault?
toani Vault is a zero-trust credential management infrastructure purpose-built for AI Agents. It leverages Intel SGX Trusted Execution Environment (TEE) hardware isolation to ensure that user passwords, API keys, and tokens are never exposed to the Agent, the cloud provider, or even toani itself.
When an Agent needs to access a third-party service on behalf of a user, Vault handles the entire operation inside hardware isolation: credential decryption via a four-layer key hierarchy, browser automation via TEE Sandbox, and structured result extraction. The Agent only receives data and screenshots — never plaintext credentials. Every access is cryptographically recorded in an immutable audit log.
Core technology
Intel SGX TEE
Hardware-isolated execution
AES-256-GCM
Per-credential encryption
Sandbox Browser
Isolated Chromium in TEE
Key features
TEE Isolated Execution
All credential decryption and sensitive operations are completed inside an Intel SGX enclave. Host OS, cloud vendor, and platform ops cannot read plaintext.
Four-Layer Key Hierarchy
L0-L3 four-layer key derivation architecture. Each credential has an independent encryption key. Keys never persist in plaintext.
AES-256-GCM Encryption
Credential ciphertext uses AES-256-GCM with HKDF-SHA-256 derived per-credential key.
TEE Sandbox Browser
Isolated Chromium runs inside the enclave, supporting form filling, navigation, screenshots, and structured data export.
Immutable Audit Logs
All credential access written to immudb with Merkle tree, Ed25519, and optional on-chain anchoring.
Zero-Knowledge Proxy Architecture
Agent only sees placeholders and execution results, never directly sees user passwords or tokens.
How it works
User / AI Agent
Send instructions with credential placeholders
Inside TEE Enclave
Result
Structured data & screenshots returned to Agent
Agent sends instructions with placeholders like {{CREDENTIAL.password}} to toani Vault
Instructions enter TEE enclave, pass authorization and policy checks
Enclave derives the L3 key from the four-layer hierarchy and decrypts the credential — plaintext exists only briefly in enclave memory
TEE Sandbox launches isolated Chromium, executes login and subsequent operations
After completion, credential plaintext is erased from memory; only result data and audit records are retained
Agent receives structured data and screenshots for subsequent reasoning and user response
Four-layer key hierarchy
SGX Sealing Key
Hardware root key bound to CPU. Non-exportable.
Enclave Master Key
Derived from L0 via HKDF. Lives in enclave memory only.
User Vault Key
Bound to tenant + user. Short-term, per-session.
Credential Key
Per credential. Destroyed immediately after use.
Key benefits
Plaintext never leaves hardware
Decryption only happens inside SGX TEE. Server compromised or database exfiltrated — still cannot decrypt without hardware.
Every access has an immutable record
All operations written to immudb with hash chain and Merkle tree. Integrity verification via API or on-chain anchoring.
Execution code independently verifiable
Use Intel DCAP remote attestation to verify running enclave image (MRENCLAVE) matches published version.
Use cases
Personal & Wealth Management
Agent logs into banks and brokerages via TEE to pull transaction history and positions. Users get structured reports — the Agent never sees plaintext passwords. Every access is recorded in an immutable audit log.
Tax & Government Portals
Agent accesses tax bureaus and government services to download records and certificates. All credential operations happen inside hardware isolation with cryptographic audit trails.
Enterprise SaaS Automation
CTO manages AWS, GitHub, Stripe API keys centrally in Vault. DevOps Agents operate under delegation rules — Vault decrypts in TEE for each task. New keys flow entirely within hardware isolation from generation to deployment.
Ready to secure your Agent's credentials?
Get started with Vault in minutes.
