George Orwell — 1984
We did. Your L2 key is derived in your browser from your Touch ID. Our servers have never seen it. They could not decrypt your private fields even if they wanted to. Or anybody else.
Every password manager was built before AI agents existed. Now they need to catch up.
All others give your AI agent access to everything in your vault, or nothing at all. There's no middle ground. Your AI needs your GitHub token — it shouldn't also see your passport number.
"AI-safe" vaults still decrypt everything server-side. They rely on access policies that can be overridden, misconfigured, or bypassed. If the server can read it, it's not truly private.
Your AI can't log in to a service, get past two-factor authentication, or rotate API keys without credential access. vault1984 lets it do all three — without exposing your credit card or passport to the same pipeline.
"Your assistant can book your flights.
Not read your diary."
Your passwords are stored on the vault server — yours to self-host, or ours to run. Every field is encrypted. But some fields get a second lock. That second key is derived from your fingerprint and only exists in your browser. The server holds the safe. Only you hold that key.
Encrypted at rest, decryptable by the vault server. Your AI agent reads these via MCP.
Encrypted client-side with WebAuthn PRF. The server never sees the plaintext. Ever.
Not another password manager with an AI checkbox. The architecture is the feature.
Each field in an entry has its own encryption tier. Your AI reads the username, not the CVV. Same entry, different access.
L2 encryption uses WebAuthn PRF — a cryptographic key derived from your biometric hardware. Math, not policy. The server literally cannot decrypt it.
Store TOTP secrets as L1 fields. Your AI agent generates time-based codes on demand via MCP — no more switching to your authenticator app.
Create separate MCP tokens per agent or integration. Each token sees only its designated entries. Compromise one, the rest stay clean.
No Docker. No Postgres. No Redis. One Go binary, one SQLite file. Runs on a Raspberry Pi. Runs on a VPS. Runs on your laptop.
Import from any password manager and the built-in LLM automatically classifies which fields should be L1 (AI-visible) vs L2 (private).
Create scoped MCP tokens per agent. One compromised agent exposes one agent's scope — not your entire vault.
{
"mcpServers": {
"vault-dev": {
"url": "http://localhost:1984/mcp",
"headers": {
"Authorization": "Bearer mcp_dev_a3f8..."
}
},
"vault-social": {
"url": "http://localhost:1984/mcp",
"headers": {
"Authorization": "Bearer mcp_social_7b2e..."
}
}
}
}Hosted on Hostkey TIER III infrastructure. Pick your region at signup.
Or run it yourself. We embrace that too. No account, no payment, no questions asked.
The security model
Your L2 encryption key is derived client-side from your Touch ID or security key. It never leaves your device. Our servers store ciphertext they cannot decrypt — regardless of who owns the rack, the building, or the country it sits in.
Pick your region for speed. Pick it for compliance if your organisation requires it. But your private fields are safe in any of them.
Your machine. Your rules. Zero latency.
Free foreverFour ways in. Each one designed for a different context. All pointing at the same encrypted store.
Claude, GPT, or any MCP-compatible agent can search credentials, fetch API keys, and generate 2FA codes — scoped to exactly what you allow.
Autofill passwords, generate 2FA codes inline, and unlock L2 fields with Touch ID — without leaving the page you're on.
Pipe credentials directly into scripts and CI pipelines. vault get github.token — done.
REST API with scoped tokens. Give your deployment pipeline read access to staging keys. Nothing else.
The competition
Real complaints from real users — about 1Password, Bitwarden, and LastPass. Pulled from forums, GitHub issues, and Hacker News. Not cherry-picked from our own users.
1PASSWORD — Community Forum
"The web extensions are laughably bad at this point. This has been going on for months. They either won't fill, wont' unlock, or just plain won't do anything (even clicking extension icon). It's so bad"
— notnotjake, April 2024 ↗✓ vault1984: No desktop app dependency. The extension talks directly to the local vault binary — no IPC, no sync, no unlock chains.
BITWARDEN — GitHub Issues
"Every single website loads slower. From Google, up to social media websites like Reddit, Instagram, X up to websites like example.com. Even scrolling and animation stutters sometimes. javascript heavy websites like X, Instagram, Reddit etc. become extremely sluggish when interacting with buttons. So for me the Bitwarden browser extension is unusable. It interferes with my browsing experience like malware."
— julianw1011, 2024 ↗✓ vault1984: Zero content scripts. The extension injects nothing into pages — it fills via the browser autofill API only when you ask.
LASTPASS — Hacker News
"The fact they're drip-feeding how bad this breach actually was is terrible enough... Personally I'm never touching them again."
— intunderflow, January 2023 ↗✓ vault1984: Self-host or use hosted with L2 encryption — we mathematically cannot read your private fields. No vault data to breach.
1PASSWORD — Community Forum
"Since doing so, it asks me to enter my password every 10 minutes or so in the chrome extension"
— Anonymous (Former Member), November 2022 ↗✓ vault1984: WebAuthn-first. Touch ID is the primary unlock. Session lives locally — no server-side expiry forcing re-auth.
BITWARDEN — Community Forums
"the password not only auto-filled in the password field, but also auto-filled in reddit's search box!"
"if autofill has the propensity at times to put an entire password in plain text in a random field, autofill seems like more risk than it's worth."
— xru1nib5 ↗✓ vault1984: LLM field mapping. The extension reads the form, asks the model which field is which — fills by intent, not by CSS selector.
BITWARDEN — Community Forums
"Bitwarden REFUSES to autofill the actual password saved for a given site or app...and instead fills an old password. It simply substitutes the OLD password for the new one that is plainly saved in the vault."
— gentlezacharias ↗✓ vault1984: LLM field mapping matches by intent. Entries are indexed by URL — the right credential for the right site, every time.
All quotes verbatim from public posts. URLs verified. View sources →
No tiers. No per-seat. No "contact sales." Two options.
Forever. MIT license.
One binary, your machine, your data. Full source on GitHub.
We manage it. You use it.
New York, Amsterdam, Frankfurt, Helsinki. Pick your region.
One command. No dependencies.
{
"mcpServers": {
"vault1984": {
"url": "http://localhost:1984/mcp",
"headers": {
"Authorization": "Bearer mcp_your_token_here"
}
}
}
}