🚧 SanctumAI is in beta. APIs may change before v1.0.
ConceptsCredential Resolution Protocol

Credential Resolution Protocol (CRP)

CRP is the protocol by which AI agents discover, request, and receive credentials from SanctumAI at runtime. It’s the glue between the MCP tool interface and the vault’s policy engine.

How CRP Works

When an AI agent needs a secret, the following sequence occurs:

AI Agent (via MCP)                    SanctumAI Daemon
       β”‚                                     β”‚
       β”‚  1. sanctum_list_credentials()      β”‚
       │────────────────────────────────────▢│
       β”‚         [available credentials]     β”‚
       │◀────────────────────────────────────│
       β”‚                                     β”‚
       β”‚  2. sanctum_get_credential(path)    β”‚
       │────────────────────────────────────▢│
       β”‚         β”‚                           β”‚
       β”‚         β”‚  3. Authenticate agent    β”‚
       β”‚         β”‚     (Ed25519 challenge)   β”‚
       β”‚         β”‚                           β”‚
       β”‚         β”‚  4. Evaluate policies     β”‚
       β”‚         β”‚     (deny-by-default)     β”‚
       β”‚         β”‚                           β”‚
       β”‚         β”‚  5. Create lease          β”‚
       β”‚         β”‚     (time-limited)        β”‚
       β”‚         β”‚                           β”‚
       β”‚    { value, lease_id, expires_at }  β”‚
       │◀────────────────────────────────────│
       β”‚                                     β”‚
       β”‚  6. Use credential                  β”‚
       β”‚                                     β”‚
       β”‚  7. Lease expires β†’ value zeroized  β”‚

Resolution Steps

  1. Discovery β€” The agent calls sanctum_list_credentials to see what’s available (filtered by its policies)
  2. Request β€” The agent requests a specific credential by path
  3. Authentication β€” The daemon verifies the agent’s Ed25519 identity
  4. Authorization β€” The policy engine checks if any policy grants this agent access to this credential for this action
  5. Lease Creation β€” On success, a time-limited lease is created with the decrypted value
  6. Usage β€” The agent uses the credential value
  7. Expiration β€” When the lease TTL expires, the value is zeroized from daemon memory

MCP Tools

CRP is exposed through MCP as a set of tools that AI editors can call:

ToolDescription
sanctum_list_credentialsList credentials the agent has access to
sanctum_get_credentialRetrieve a credential value (creates a lease)
sanctum_store_credentialStore a new credential
sanctum_delete_credentialDelete a credential
sanctum_search_credentialsSearch credentials by pattern
sanctum_get_audit_logView recent audit entries
sanctum_check_policySimulate a policy decision

Why a Protocol?

CRP exists because raw vault access isn’t safe for AI agents. The protocol adds:

  • Identity verification β€” The agent must prove who it is before every request
  • Policy enforcement β€” Access is checked against the policy engine, not just β€œcan you connect”
  • Time-limiting β€” Secrets are leased, not permanently exposed
  • Audit trail β€” Every resolution attempt is logged, whether it succeeds or fails
  • Rate limiting β€” Agents can’t brute-force access to secrets

Without CRP, an AI agent with MCP access would have unrestricted access to the entire vault β€” the equivalent of giving every employee the root password.

Audit EventsOverview