Prerequisites
- The
aivaultbinary installed and on yourPATH(see Install) - On macOS/Linux,
aivaultdinstalled alongsideaivault(used byinvokeby default). If you only haveaivault, setAIVAULTD_DISABLE=1. - An API key for at least one supported provider (e.g. OpenAI)
1) Check vault status
- macOS: uses the system Keychain
- Other platforms: uses the file provider with a key at
~/.aivault/keys/kek.key(outside the vault directory)
2) Store a secret
OPENAI_API_KEY matches the built-in registry, this automatically:
- Pins the secret to the
openaiprovider (it can only be used for OpenAI hosts) - Provisions the
openaicredential - Enables all 17 OpenAI capabilities (chat, transcription, embeddings, images, etc.)
3) Browse capabilities
describe command shows allowed methods, path prefixes, and example invocations.
4) Invoke a capability
api.openai.com. The response is returned with auth-class headers stripped.
For structured output: