Quick Start Guide

Connect your AI agent to Rivault in under 5 minutes.

Prerequisites

A Rivault account with at least one vault item
OpenClaw installed
macOS - Rivault's desktop app for redaction and MCP calls

Run the installer

Installs the Rivault desktop app, then registers the skill and plugin OpenClaw needs to reach your vault. macOS only for now.

curl -fsSL https://www.rivault.ai/install.sh | sh

Learn more

The installer detects OpenClaw automatically and registers the Rivault plugin via openclaw plugins install, then installs the skill prompt, no manual SKILL.md download needed. It also sets up the local Rivault daemon and a watcher that scrubs every released secret out of the OpenClaw transcript after each task.

To uninstall later: curl -fsSL https://www.rivault.ai/install.sh | sh -s -- --uninstall

Log in to configure your API key

After install you'll be prompted to log in to link your desktop app. This sets up the API key used for vault calls. No manual setup needed. Need a key for manual setup? Generate one on your Settings page.

Learn more

The installer writes the key to both the desktop daemon's config (~/Library/Application Support/Rivault/config.json) and the OpenClaw plugin config (~/.openclaw/openclaw.json under plugins.entries.rivault.config.apiKey), so both the daemon's MCP server and the OpenClaw plugin authenticate without any further setup. The plugin auto-discovers the local daemon on 127.0.0.1 via ~/Library/Application Support/Rivault/daemon.json, so every retrieval is observable by the redaction watcher.

Skipped the prompt? Open the Rivault desktop app and click Sign in with Rivault. The browser flow pairs your Mac and wires up the daemon in one step. (Or re-run the installer; it's idempotent.)

Restart OpenClaw

OpenClaw picks up new plugins at gateway start time. Restart the gateway so the Rivault plugin loads with your API key:

openclaw gateway restart

Test it out

Start a new OpenClaw session and ask your agent something that needs your vault data:

# Example prompts to try:
"Fill out the signup form on https://maju.design/"

The agent will automatically search your vault, request authorization for sensitive items via Face ID, and use the values to complete the task. The desktop app's watcher redacts every retrieved value out of the OpenClaw transcript when the task ends.

Where your data goes

How default (L2) items are protected, redacted, and retained, by runtime and plan. Manually configured L1 items are non‑zero‑knowledge.

Face ID items are encrypted on your device, so Rivault's servers only ever see ciphertext, never the plaintext value. After your agent uses an item to complete a task, Rivault's desktop app redacts the released value from the agent's local transcript, memory, and logs. What your AI model provider retains depends on your plan:

	OpenClaw	Claude Code	Claude Desktop
Standard plans	Released values redacted locally after each task May persist on your model provider’s servers (Anthropic / OpenAI) per its policy	Released values redacted locally after each task May persist on Anthropic’s servers per its policy	Chat history syncs to your Claude account Local watcher can’t fully scrub released values May persist in synced history + on Anthropic’s servers
Enterprise · Zero Data Retention	With Zero Data Retention, no server-side residue anywhere	With Claude Enterprise + Zero Data Retention, no residue on Anthropic	With Claude Enterprise + Zero Data Retention, no residue on Anthropic

“Zero Data Retention” (ZDR) is an enterprise agreement with your model provider under which prompts and outputs are not stored server-side. Standard consumer/pro plans typically retain conversation data for a limited period per the provider's policy, outside Rivault's control.

Need help?

If you run into any issues, check the activity log in your account page or reach out for support.

Create Your Vault