These sequence diagrams illustrate the core protocol flows in AgentVault. Each diagram shows the interaction between participants and highlights where encryption boundaries lie.Documentation Index
Fetch the complete documentation index at: https://docs.agentvault.chat/llms.txt
Use this file to discover all available pages before exploring further.
Device Enrollment
Enrollment is a multi-step process that ensures only explicitly approved devices can join a tenant. The server never handles private keys.Step 1: Invite Creation
The owner generates a single-use, time-limited invite token.The raw invite token is returned to the owner exactly once. The server stores only the BLAKE2b hash. If the owner loses the token, they must generate a new one.
Step 2: Agent Enrollment
The agent consumes the invite and registers its public keys.Step 3: Owner Approval
The owner verifies the device fingerprint and explicitly approves the device.Step 4: Key Exchange and Activation
Both parties perform X3DH key agreement and initialize the Double Ratchet.For new sessions, MLS group creation is the primary path. The X3DH + Double Ratchet flow shown above is the fallback for legacy 1:1 sessions. MLS uses KeyPackages uploaded during enrollment to establish the ratchet tree, providing the same confidentiality guarantees with better scalability.
Encrypted Messaging
Send Message (Owner to Agent)
Offline Message Retrieval
When a client reconnects after being offline, it fetches missed messages in order.Offline messages must be processed in chronological order because each decryption advances the ratchet chain. Processing out of order would desynchronize the ratchet state.