Quickstart
import { Aside, Steps } from ‘@astrojs/starlight/components’;
Get from zero to zero-knowledge in under 5 minutes.
Prerequisites
Section titled “Prerequisites”- macOS, Linux, or Windows (see installation for Windows details)
- Claude Code installed (or any MCP-compatible AI client)
- An OpaqueVault account — create one free
1. Install
Section titled “1. Install”macOS (Homebrew):
brew install opaquevault-brew/tap/ovLinux / macOS (curl):
curl -fsSL https://get.opaquevault.com | shWindows (PowerShell):
iwr -useb get.opaquevault.com/install.ps1 | iexSee installation for Scoop, WSL2, and what works natively on Windows today (the agent + MCP bridge are Linux/macOS only — Windows MCP users should use WSL2 for now).
Verify:
ov --version2. Log in
Section titled “2. Log in”ov auth loginYou’ll be prompted for your email and master password. OpaqueVault derives your Key Encryption Key (KEK) from the password using Argon2id — the KEK never leaves your machine.
On first login, a default app is created automatically. You can create your own app in the next step.
3. Create an app and environment
Section titled “3. Create an app and environment”Secrets in OpaqueVault are organized by app (a project namespace) and environment (production, staging, dev, etc.). DATABASE_URL in my-saas/production never collides with DATABASE_URL in another project or another env.
A new app starts with no environments, so the quickstart shape is to create both in one shot:
ov app create my-saas --with-env productionov app use my-saasov env use productionov app use / ov env use set the defaults for all subsequent commands; override per-command with --app / --env.
Not sure where you are? Run ov status any time:
ov statusAPI: https://api.opaquevault.comUser: [email protected]App: my-saasEnv: productionSource: config-defaultEnv OK: yes4. Store secrets
Section titled “4. Store secrets”ov secret set DATABASE_URLov secret set STRIPE_SECRET_KEYov secret set OPENAI_API_KEYOpaqueVault prompts for each value (input is hidden), encrypts it locally with a fresh DEK, and stores only the ciphertext on the server.
List what you’ve stored:
ov secret listOutput:
App: my-saas
NAME UPDATEDDATABASE_URL 2026-04-10T14:32:11ZSTRIPE_SECRET_KEY 2026-04-10T09:01:44ZOPENAI_API_KEY 2026-04-08T17:23:05Z5. Connect to Claude Code
Section titled “5. Connect to Claude Code”Add OpaqueVault as an MCP server in your Claude Code config (~/.claude/claude_desktop_config.json):
{ "mcpServers": { "opaquevault": { "command": "ov", "args": ["mcp", "serve"] } }}Restart Claude Code. When ov mcp serve starts, it logs the active app to stderr so you can confirm it’s targeting the right context.
6. Ask Claude to use a secret
Section titled “6. Ask Claude to use a secret”In Claude Code, you can now say:
“Run the database migrations using
DATABASE_URL.”
Claude will call vault_run — the local bridge decrypts the secret, injects it as an env var into the subprocess, and returns only the exit code and output. The plaintext value never appears in Claude’s context window. Not once.
What’s running
Section titled “What’s running”Claude Code ──MCP/stdio──▶ ov mcp serve ──HTTPS+PQC──▶ api.opaquevault.com(never sees (decrypts (ciphertext only, plaintext) locally) no decrypt endpoint)The interceptor in ov mcp serve is active by default. If a raw secret accidentally enters the MCP channel — a pasted API key, a token in a stack trace — it’s blocked before Claude sees it and logged to your audit trail.
Next steps
Section titled “Next steps”- How it works — the full two-process model explained
- ov app — managing multiple projects
- ov status — one-shot “where am I?” check
- ov scan — find secrets already leaked in your repos
- GitHub Actions integration —
ov scanon every PR viaopaquev/ov-scan-action - MCP tools reference — all 7 tools, params, and responses
- Claude Code integration — detailed setup guide