George Orwell — 1984

"If you want to keep a secret, you must also hide it from yourself."

We did. Your Sealed key is derived in your browser from your Touch ID. Our servers have never seen it. They could not decrypt your private fields even if they wanted to. Or anybody else.

Get hosted — $20 $12/yr Self-host free →
AI Agent You only L2 — AI can read github_token ssh_key totp_github oauth_slack L3 — you only credit_card cvv passport ssn

Black box icon options

6 corners. Front face dominant, slight depth peek right + top.

A. Subtle

B. More depth

C. Just a hair

D. Lighter top

E. A at 40px

F. Red at 40px

The problem

Every password manager was built before AI agents existed. Now they need to catch up.

All-or-nothing is broken

All others give your AI agent access to everything in your vault, or nothing at all. Your AI needs your GitHub token — it shouldn't also see your passport number.

Policy isn't security

"AI-safe" vaults still decrypt everything server-side. If the server can read it, it's not truly private. Math beats policy every time.

Agents need credentials — and 2FA

Your AI can't log in, pass two-factor, or rotate keys without access. clavitor lets it do all three — without exposing your credit card to the same pipeline.

How it works

"Your assistant can book your flights.
Not read your diary."

Every field is encrypted. But some get a second lock. That second key is derived from your fingerprint and only exists in your browser. We hold the safe. Only you hold that key.

Agent fields

AI-readable

Encrypted at rest, decryptable by the vault server. Your AI agent reads these via MCP.

  • API keys & tokens
  • SSH keys
  • TOTP 2FA codes — AI generates them for you
  • OAuth tokens
  • Structured notes
Sealed fields

Touch ID only

Encrypted client-side with WebAuthn PRF. The server never sees the plaintext. Ever.

  • Credit card numbers
  • CVV
  • Passport & SSN
  • Private signing keys
  • Private notes

Built different

Not another password manager with an AI checkbox. The architecture is the feature.

Field-level AI visibility

Each field has its own encryption tier. Your AI reads the username, not the CVV. Same entry, different access.

WebAuthn PRF

Sealed encryption uses WebAuthn PRF — a cryptographic key derived from your biometric hardware. Math, not policy. We literally cannot decrypt it.

AI-powered 2FA

Store TOTP secrets as Agent fields. Your AI generates time-based codes on demand via MCP — no more switching to your phone.

Scoped MCP tokens

Create separate MCP tokens per agent. Each token sees only its designated entries. Compromise one, the rest stay clean.

One binary, one file

No Docker. No Postgres. No Redis. One Go binary, one SQLite file. Runs on a Raspberry Pi. Runs on a $4/month VPS.

LLM field mapping

Import from any password manager. The built-in LLM automatically classifies which fields should be Agent vs Sealed.

10 agents.
Each gets exactly what it needs.

Create scoped MCP tokens per agent. One compromised agent exposes one scope — not your entire vault.

~/.claude/mcp.json

{
  "mcpServers": {
    "vault-dev": {
      "url": "http://localhost:1984/mcp",
      "headers": { "Authorization": "Bearer mcp_dev_a3f8..." }
    },
    "vault-social": {
      "url": "http://localhost:1984/mcp",
      "headers": { "Authorization": "Bearer mcp_social_7b2e..." }
    }
  }
}
CLAVITOR Agent 1 dev Agent 2 social Agent 3 finance Agent 4 infra Agent 5 deploy github ssh gitlab twitter slack discord stripe plaid aws k8s docker vercel netlify

Your agent and you — same vault, right access

Four ways in. Each one designed for a different context. All pointing at the same encrypted store.

MCP

For AI agents

Claude, GPT, or any MCP-compatible agent can search credentials, fetch API keys, and generate 2FA codes — scoped to exactly what you allow.

Extension

For humans in a browser

Autofill passwords, generate 2FA codes inline, and unlock L3 fields with Touch ID — without leaving the page you're on.

CLI

For terminal workflows

Pipe credentials directly into scripts and CI pipelines. vault get github.token — done.

API

For everything else

REST API with scoped tokens. Give your deployment pipeline read access to staging keys. Nothing else.

The competition

We listened. And addressed them all.

Real complaints from real users — about 1Password, Bitwarden, and LastPass. Pulled from forums, GitHub issues, and Hacker News. Not cherry-picked from our own users.

1PASSWORD — Community Forum

"The web extensions are laughably bad at this point. This has been going on for months. They either won't fill, wont' unlock, or just plain won't do anything (even clicking extension icon). It's so bad"

— notnotjake, April 2024 ↗

  • clavitor: No desktop app dependency. The extension talks directly to the local vault binary — no IPC, no sync, no unlock chains.

BITWARDEN — GitHub Issues

"Every single website loads slower. From Google, up to social media websites like Reddit, Instagram, X up to websites like example.com. Even scrolling and animation stutters sometimes. javascript heavy websites like X, Instagram, Reddit etc. become extremely sluggish when interacting with buttons. So for me the Bitwarden browser extension is unusable. It interferes with my browsing experience like malware."

— julianw1011, 2024 ↗

  • clavitor: Zero content scripts. The extension injects nothing into pages — it fills via the browser autofill API only when you ask.

LASTPASS — Hacker News

"The fact they're drip-feeding how bad this breach actually was is terrible enough... Personally I'm never touching them again."

— intunderflow, January 2023 ↗

  • clavitor: Self-host or use hosted with L3 encryption — we mathematically cannot read your private fields. No vault data to breach.

1PASSWORD — Community Forum

"Since doing so, it asks me to enter my password every 10 minutes or so in the chrome extension"

— Anonymous (Former Member), November 2022 ↗

  • clavitor: WebAuthn-first. Touch ID is the primary unlock. Session lives locally — no server-side expiry forcing re-auth.

BITWARDEN — Community Forums

"the password not only auto-filled in the password field, but also auto-filled in reddit's search box!"

"if autofill has the propensity at times to put an entire password in plain text in a random field, autofill seems like more risk than it's worth."

— xru1nib5 ↗

  • clavitor: LLM field mapping. The extension reads the form, asks the model which field is which — fills by intent, not by CSS selector.

BITWARDEN — Community Forums

"Bitwarden REFUSES to autofill the actual password saved for a given site or app...and instead fills an old password. It simply substitutes the OLD password for the new one that is plainly saved in the vault."

— gentlezacharias ↗

  • clavitor: LLM field mapping matches by intent. Entries are indexed by URL — the right credential for the right site, every time.

All quotes verbatim from public posts. URLs verified. View sources →

Your vault needs to be everywhere you are.

A password manager that only works on your home network isn't a password manager. Your laptop moves. Your phone moves. Your browser extension needs your vault at the coffee shop, on the plane, at the client's office.

Self-hosting that means a server with a public IP, DNS, TLS certificates, uptime monitoring, and backups. That's not a weekend project — that's infrastructure.

We run clavitor across 22 regions on every continent. $20 $12/yr. Your Sealed keys never leave your browser — we mathematically cannot read your private fields.

Get hosted → Self-host anyway

Up and running in 30 seconds

One command. No dependencies.

Terminal

# Self-host in 30 seconds
$ curl -fsSL clavitor.com/install.sh | sh
$ clavitor
# Running on http://localhost:1984

MCP config for Claude Code / Cursor / Codex

{
  "mcpServers": {
    "clavitor": {
      "url": "http://localhost:1984/mcp",
      "headers": { "Authorization": "Bearer mcp_your_token_here" }
    }
  }
}

Full install guide →