Agentic Vault Agentic Vault
Setup Guide

Let agents execute.
Keep keys in the vault.

Server-side EVM signing with AWS KMS, protocol-aware policies, and full audit logs.

Get Started Read Docs
HSM-backed
Deny-by-default
Fail-closed
Open Source (MIT)
AI Agent
Protocol Decoder
Policy Engine
AWS KMS
Signed Tx

Trusted by the ecosystem

OpenClaw MCP Protocol AWS KMS npm GitHub

AI agents need signatures, not private keys

Problem

AI Agent directly accesses private keys

Solution

Private keys never leave the HSM

Problem

Unrestricted transaction signing

Solution

Deny-by-default policy engine

Problem

Unknown calldata silently passes

Solution

Fail-closed: unknown calldata is always rejected

Problem

No audit trail

Solution

Structured JSON audit logs

Trust Boundary

Every signing request passes through decode, policy evaluation, and audit — before the HSM ever signs a byte.

🤖 AI Agent
🔓 Protocol Decoder
📋 Policy Engine
🔐 AWS KMS
Approved
Signed Tx
Denied + Audit Log

Policy Engine

Define exactly what your agent can and cannot do. Default-deny ensures nothing slips through.

{
  "version": "1.0",
  "defaultAction": "deny",
  "rules": [
    {
      "name": "Allow USDC approve",
      "action": "allow",
      "conditions": {
        "contract": "0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48",
        "method": "approve",
        "maxAmount": "1000000000000"
      }
    },
    {
      "name": "Allow Uniswap swap",
      "action": "allow",
      "conditions": {
        "contract": "0xE592427A0AEce92De3Edee1F18E0157C05861564",
        "method": "exactInputSingle",
        "maxSlippage": "0.5"
      }
    }
  ]
}
version

Policy format version

defaultAction: deny

Deny everything not explicitly allowed

rules

Allowlist rules with conditions

Developer Interfaces

Use Agentic Vault however you prefer — as a TypeScript library, CLI tool, MCP server, or OpenClaw plugin.

import {
  createSigningProvider,
  EvmSignerAdapter
} from '@agenticvault/agentic-vault';

const provider = createSigningProvider({
  provider: 'aws-kms',
  keyId: 'arn:aws:kms:us-east-1:123456789:key/your-key-id',
  region: 'us-east-1',
});

const signer = new EvmSignerAdapter(provider);
const address = await signer.getAddress();
console.log('Vault address:', address);

Supported Protocols

Built-in decoders for popular DeFi protocols. Every calldata byte is decoded and validated before signing.

ERC-20

approve
transfer

Allowance cap, spender/token allowlist

Uniswap V3

exactInputSingle

Token pair, slippage, recipient validation

Aave V3

supply
borrow
repay
withdraw

Asset allowlist, rate mode, amount limits

Already using OpenClaw?

Add secure signing in minutes. Agentic Vault integrates as an OpenClaw plugin with 7 safe tools and 2 policy-gated tools.

Safe Tools

  • get_address
  • health_check
  • get_balance
  • get_token_balance
  • decode_calldata
  • dry_run
  • list_policies

Policy-Gated Tools

  • sign_transaction
  • sign_typed_data
View OpenClaw Plugin

Getting Started

Three steps to secure your AI agent's transaction signing.

1

Install

$ _
2

Configure

Set up plugin config with keyId, region, and policyConfigPath

3

Secure

Create a deny-by-default policy.json

View Full Setup Guide

Secure your agents today

Open source, production-ready, and built for the agentic future.

Get Started GitHub