Skip to main content
Read-only access to the agent’s own vault credentials at runtime. Enable by including "vault_*" in the agent’s allowedTools array.
Security: Agents can only access their own vault entries — never another agent’s credentials. The vault is encrypted at rest with AES-256-GCM (.polpo/vault.enc). Credentials are decrypted and resolved (including ${ENV_VAR} references) at agent spawn time.
When to use vault tools: SMTP/IMAP credentials are used automatically by email tools — you don’t need vault tools for that. Use vault tools when an agent needs to access other credential types at runtime: API keys, OAuth tokens, custom secrets, etc. For example, a skill that calls the Stripe API needs the agent to call vault_get to retrieve the API key.

vault_list — List Available Services

List all services available in the agent’s vault. Returns service names, types, and credential key names — values are not shown.

Parameters

No parameters required.

Returns

3 vault service(s):
  - smtp (smtp): keys=[host, port, user, pass, from]
  - stripe (api_key): keys=[api_key]
  - github (oauth): keys=[token, org]

Usage

Call vault_list first to discover what services are available before retrieving specific credentials with vault_get.

vault_get — Get Credentials

Retrieve the actual credential values for a specific service from the agent’s vault.

Parameters

ParameterTypeRequiredDescription
servicestringyesService name to retrieve (e.g. "stripe", "github")

Returns

Credentials for "stripe":
  api_key: sk_live_abc123...
If the service doesn’t exist: 
No vault entry found for service "stripe". Use vault_list to see available services.

Setup

1. Store credentials in the vault

Use the orchestrator’s set_vault_entry tool or the onboarding wizard (polpo agent onboard <name>) to add credentials: 
set_vault_entry({
  agent: "integrations-agent",
  service: "stripe",
  type: "api_key",
  credentials: { api_key: "sk_live_..." }
})

2. Enable vault tools on the agent

Add "vault_*" to the agent’s allowedTools: 
{
  "name": "integrations-agent",
  "allowedTools": ["read", "write", "edit", "bash", "glob", "grep", "ls", "vault_*"]
}
The onboarding wizard automatically adds "vault_*" to allowedTools when vault entries are created during onboarding.

3. Use in skills or task descriptions

Skills can instruct agents to retrieve credentials: 
## API Authentication

Before making API calls, retrieve your credentials:
1. Call `vault_list` to see available services
2. Call `vault_get({ service: "stripe" })` to get the API key
3. Use the key in your `http_fetch` calls