A2A Vault (PassBox)

Zero-knowledge secrets management. Store API keys, tokens, and credentials with client-side encryption. The server never sees plaintext values.

Quick Start

Store a secret:

CODEBLOCK0

Retrieve a secret:

CODEBLOCK1

Available Tools

Secret Operations

Tool	Description
INLINECODE0	Retrieve and decrypt a secret
INLINECODE1

Create or update a secret (encrypted before upload) | | passbox_list_secrets | List secret names (values not returned) | | passbox_delete_secret | Delete a secret | | passbox_rotate_secret | Trigger manual secret rotation |

Vault Management

Tool	Description
INLINECODE5	List all available vaults
INLINECODE6

List environments (dev, staging, prod) | | passbox_get_environment | Get all secrets in an environment |

.env Integration

Tool	Description
INLINECODE8	Compare local .env with vault secrets
INLINECODE9

Import .env file into vault |

Workflows

Set up project credentials

1. 1. passbox_list_vaults — see existing vaults
2. INLINECODE11 — store each credential
3. INLINECODE12 — verify all keys are stored

Sync .env with vault

1. 1. Read your local .env file
2. INLINECODE13 — see what's different
3. INLINECODE14 — push local secrets to vault

Environment promotion

1. 1. passbox_get_environment for "dev"
2. Review values
3. INLINECODE16 for each key in "staging"

Credential injection

Use with a2a_secure_execute to automatically inject secrets:

CODEBLOCK2

The {{API_KEY}} placeholder is resolved from PassBox before execution.

Security Model

• - Client-side encryption: Values are encrypted before leaving your device
• Zero-knowledge: The server stores only ciphertext
• Environment isolation: dev/staging/prod secrets are fully separated
• Audit trail: All access is logged
• Secret rotation: Built-in rotation support with webhooks