Installation
Prerequisites
- Node.js 20.0.0 or later
- A C++ compiler toolchain (for sodium-native native bindings):
- Windows: Visual Studio Build Tools or
npm install --global windows-build-tools - macOS: Xcode Command Line Tools (
xcode-select --install) - Linux:
build-essentialpackage
- Windows: Visual Studio Build Tools or
Install
npm install -g hq-vaultOr install locally in a project:
npm install hq-vaultInitialize a Vault
hq-vault initYou’ll be prompted to set a master passphrase. This passphrase derives the encryption key via Argon2id — choose something strong and memorable.
🔐 Creating new vault at ~/.hq-vault/vault.dbEnter master passphrase: ********Confirm passphrase: ********✅ Vault initialized and unlockedThe vault file is a single portable SQLite database at ~/.hq-vault/vault.db. All secrets are encrypted at rest.
Start the Server
hq-vault serveThis starts the vault daemon on https://localhost:13100. The master key is held in memory — secrets can be retrieved without re-entering the passphrase.
For background operation:
hq-vault serve --daemonStore Your First Secret
hq-vault store aws/access-keyYou’ll be prompted to paste the secret value (input is hidden):
Enter secret value: ********✅ Stored: aws/access-key (24 bytes)Retrieve It
hq-vault get aws/access-keyOr from code, using the SDK:
import { getSecret } from "hq-vault";
const key = await getSecret("aws/access-key");Next Steps
- Store and manage secrets via CLI
- Create access tokens for agents
- Use the HTTP API programmatically
- Use the SDK in worker code