Vault Credentials¶
OmniAgent supports storing credentials in password managers via omnivault. This guide covers supported providers, OS compatibility, and setup instructions.
Overview¶
Instead of storing API keys and tokens in configuration files, you can reference them using vault URIs:
agent:
api_key: "op://MyVault/anthropic/api-key" # 1Password
channels:
telegram:
token: "bw://org-id/telegram-token" # Bitwarden
discord:
token: "env://DISCORD_BOT_TOKEN" # Environment variable
Credentials are resolved once at startup. Plain string values still work for development.
Supported Providers¶
| Provider | URI Scheme | Description |
|---|---|---|
| 1Password | op:// |
1Password service accounts |
| Bitwarden | bw:// |
Bitwarden Secrets Manager |
| Keeper | keeper:// |
Keeper Secrets Manager |
| File | file:// |
Read from local file |
| Environment | env:// |
Read from environment variable |
| Memory | memory:// |
In-memory storage (testing) |
OS Compatibility¶
Platform Limitations
Desktop vault providers (1Password, Bitwarden) require native libraries that may not be available on all platforms.
| Provider | macOS | Linux | Windows | Notes |
|---|---|---|---|---|
1Password (op://) |
:material-check: | :material-check: | :material-close: | Requires 1Password SDK |
Bitwarden (bw://) |
:material-check: | :material-check: | :material-close: | Requires Bitwarden SDK with CGO |
Keeper (keeper://) |
:material-check: | :material-check: | :material-check: | Pure Go implementation |
File (file://) |
:material-check: | :material-check: | :material-check: | Universal |
Environment (env://) |
:material-check: | :material-check: | :material-check: | Universal |
Memory (memory://) |
:material-check: | :material-check: | :material-check: | Universal |
Windows Limitations¶
The 1Password and Bitwarden providers use native SDKs with CGO dependencies that require platform-specific DLLs. These DLLs are not available in standard Windows CI environments.
Workarounds for Windows:
- Use
env://orfile://- These work on all platforms - Use Keeper - Pure Go implementation works everywhere
- Install native SDKs - For local development, install the 1Password or Bitwarden CLI tools
Provider Setup¶
1Password (op://)¶
1Password uses service accounts for programmatic access.
URI Format:
Environment Variables:
| Variable | Required | Description |
|---|---|---|
OP_SERVICE_ACCOUNT_TOKEN |
Yes | Service account token (starts with ops_) |
Setup:
- Create a service account in your 1Password account
- Grant access to the vault containing your secrets
- Set the token:
Example:
Bitwarden (bw://)¶
Bitwarden uses Secrets Manager for programmatic access.
URI Format:
Environment Variables:
| Variable | Required | Description |
|---|---|---|
BW_ACCESS_TOKEN |
Yes | Machine account access token |
BW_ORGANIZATION_ID |
No | Default organization ID |
BW_API_URL |
No | Custom API URL (self-hosted) |
BW_IDENTITY_URL |
No | Custom Identity URL (self-hosted) |
Setup:
- Enable Secrets Manager in your Bitwarden organization
- Create a machine account with access to your secrets
- Set the credentials:
Example:
Keeper (keeper://)¶
Keeper uses Secrets Manager for programmatic access.
URI Format:
Environment Variables:
| Variable | Required | Description |
|---|---|---|
KSM_TOKEN |
One of these | One-time token (format: REGION:TOKEN) |
KSM_CONFIG |
One of these | Base64-encoded config JSON |
KSM_CONFIG_FILE |
One of these | Path to config file |
Setup:
- Create a Secrets Manager application in Keeper
- Generate a one-time token or config file
- Set the credentials:
Example:
File (file://)¶
Read secrets from local files.
URI Format:
Example:
File Permissions
Ensure secret files have restricted permissions (e.g., chmod 600).
Environment (env://)¶
Read secrets from environment variables.
URI Format:
Example:
env:// vs ${VAR}
Both env://VAR and ${VAR} read environment variables, but:
${VAR}- Expanded during config parsing (supports defaults:${VAR:-default})env://VAR- Resolved by omnivault during credential resolution
OAuth Token Management¶
For services requiring OAuth token refresh (Google, Zoom, RingCentral), use the tokens configuration with omnitoken:
tokens:
vault_uri: "op://MyVault"
services:
google:
credentials_name: "google-oauth"
scopes:
- "https://www.googleapis.com/auth/calendar"
zoom:
credentials_name: "zoom-oauth"
The token manager handles:
- In-memory token caching
- Automatic refresh when tokens expire
- Vault coordination for multi-process deployments
- Refresh token persistence
Troubleshooting¶
"unknown vault URI scheme"¶
The vault provider isn't registered. Ensure you're using a supported scheme.
"failed to resolve credential"¶
Check that:
- The required environment variables are set
- The vault path is correct
- Your service account has access to the secret
Windows DLL errors¶
If you see STATUS_DLL_NOT_FOUND or similar errors on Windows:
- Use
env://orfile://instead ofop://orbw:// - Or use Keeper (
keeper://) which has a pure Go implementation
1Password "unauthorized" errors¶
Verify:
OP_SERVICE_ACCOUNT_TOKENis set correctly- The service account has access to the vault
- The token hasn't expired
Bitwarden connection errors¶
Verify:
BW_ACCESS_TOKENis set correctlyBW_ORGANIZATION_IDis set if not in URI- For self-hosted:
BW_API_URLandBW_IDENTITY_URLare correct
Best Practices¶
- Use vault credentials in production - Never commit API keys to version control
- Use env:// in CI/CD - CI systems typically inject secrets as environment variables
- Restrict service account permissions - Only grant access to needed secrets
- Rotate credentials regularly - Update service account tokens periodically
- Use different vaults per environment - Separate dev/staging/production secrets