Integration Guide

clavitor + OpenAI Codex

Give your Codex agent access to credentials and 2FA codes via REST API or MCP — without exposing card numbers, passports, or recovery codes.

What your agent sees

Shared fields

Your agent reads these to help you code, deploy, and authenticate.

  • API keys (GitHub, AWS, Stripe, OpenAI…)
  • SSH host credentials
  • Database connection strings
  • TOTP seeds — live 2FA codes on demand
  • Service account passwords
What your agent never sees

Personal fields

Encrypted client-side with your biometric. The server stores ciphertext. No key, no access.

  • Credit card numbers & CVV
  • Passport & government IDs
  • Recovery codes & seed phrases
  • Social security numbers
  • Bank account details

Two ways to connect

MCP for native tool integration, or REST API for function calling from any model.

Option A

MCP

Codex supports MCP natively. Add clavitor to your ~/.codex/config.toml (or .codex/config.toml in your project):

[mcp_servers.clavitor]
url = "http://localhost:1984/mcp"

[mcp_servers.clavitor.headers]
Authorization = "Bearer clavitor_your_token_here"
Option B

REST API + Function Calling

Define clavitor endpoints as functions. Works with any LLM that supports function calling.

curl http://localhost:1984/api/search?q=github \
  -H "Authorization: Bearer clavitor_your_token_here"

# Returns entries with credentials, URLs, TOTP codes
# Personal fields return: {"value":"[REDACTED]","l2":true}

Using hosted clavitor?

Your URL includes your unique vault identifier. You can find the exact URL in your Account Information page after signing up.

It looks like: https://clavitor.com/your_vault_id/mcp or .../your_vault_id/api/

API endpoints

Simple REST. Bearer token auth. JSON responses.

GET  /api/entries              # list all entries
GET  /api/entries/{id}         # get single entry
GET  /api/search?q=github     # search by query
GET  /api/ext/totp/{id}       # get live TOTP code
GET  /api/generate?length=32  # generate random password

All endpoints require Authorization: Bearer clavitor_...

One vault, multiple agents

Running agents on different projects? Create a separate API key for each.

Work agent

Its own API key for GitHub, AWS, Jira, and Slack

Personal agent

Its own API key for email, social media, and cloud storage

Deploy agent

Its own API key for SSH keys, database creds, and API tokens

Every access is logged

The audit log records which agent accessed which credential, when, and from where.

TIME                 ACTION  ENTRY               ACTOR
2026-03-08 10:23:14  read    github.com          mcp:codex-agent
2026-03-08 10:23:15  totp    github.com          mcp:codex-agent
2026-03-08 11:45:02  read    aws-production      mcp:deploy-agent
2026-03-08 14:12:33  search  "database"          api:codex

Get started

Self-host (free) Hosted ($12/yr)