Skip to main content
Commands default to colored human-readable output. Many list/status commands accept --verbose / -v for full JSON; invoke also has dedicated json and markdown subcommands for structured output.

Command groups

GroupPurpose
Vault lifecyclestatus, init, unlock, lock, rotate-master, audit
Secretssecrets create, list, update, rotate, delete, import
Credentialscredential create, list, delete
Provider pluginsprovider list, install, enable, disable, remove
Capabilitiescapability list, describe, create, delete, policy, bind, unbind, bindings
Invokeinvoke, json, markdown
OAuthoauth setup

Top-level shortcuts

These shortcuts avoid typing capability invoke ... for the most common operation:
aivault invoke <id> ...       # same as: aivault capability invoke <id>
aivault json <id> ...         # same as: aivault capability json <id>
aivault markdown <id> ...     # same as: aivault capability markdown <id>
aivault md <id> ...           # alias for markdown

Global behavior

  • Auto-initialization: if no vault exists, the first command that needs it will auto-initialize with safe defaults
  • Daemon boundary: on unix platforms, invoke commands connect to the aivaultd daemon (auto-started) for secret isolation. See Daemon
  • Output modes: human-readable (default); JSON via --verbose / -v on commands that support it; or structured JSON/markdown via the json/markdown subcommands