Skip to main content
Before you can submit signed receipts, VaultGraph needs the full deployment context in place:
  • A vendor VAULTGRAPH_API_KEY
  • An agent record
  • A consumer record
  • A deployment that binds that agent and consumer
  • A deployment signing key that matches your VAULTGRAPH_PUBLIC_KEY
  • The matching VAULTGRAPH_PRIVATE_KEY
The setup order matters. Receipt ingestion is rejected until the target deployment exists and the submitted public key matches an active signing key on that deployment.

1) Create your vendor API key

  1. Sign in at app.vaultgraph.com
  2. Switch to your vendor organization
  3. Open Org Settings → API Keys
  4. Click Create API key and copy it
Save this value as VAULTGRAPH_API_KEY in your server environment.
Never expose API keys in browser/client code. Keep them in your backend secrets manager or server-only environment variables.

2) Create the agent, consumer, and deployment

Create the resources that VaultGraph uses to attribute receipts:
  1. Create or open the target agent in the portal
  2. Create or open the target consumer record
  3. Create a deployment for that agent-consumer pair
  4. Copy the deployment short ID (dep_...) for your backend configuration
Receipts are deployment-scoped. The signed receipt payload stays agent-agnostic, and VaultGraph resolves the agent and consumer from the submitted deployment_id.

3) Generate your Ed25519 keypair

Use any of these options to generate PEM-encoded keys: 
openssl genpkey -algorithm Ed25519 -out key.pem
openssl pkey -in key.pem -pubout -out key_public.pem
Set these in your server environment as:
  • VAULTGRAPH_PRIVATE_KEY
  • VAULTGRAPH_PUBLIC_KEY
The private key must remain secret. Store it server-side only and never commit it to source control.

4) Register the public key on the deployment

Signing keys are managed only in the VaultGraph portal UI. After generating your keypair:
  1. Create or open the target deployment in the portal
  2. Open the deployment actions menu and select the key action
  3. Paste the public key and save it as an active signing key for that deployment
Receipt ingestion is rejected unless the submitted public_key matches an active signing key registered on the target deployment.

5) Add credentials to your environment

Example: 
VAULTGRAPH_API_KEY=vgk_...
VAULTGRAPH_DEPLOYMENT_ID=dep_...
VAULTGRAPH_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
VAULTGRAPH_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"

Next step

Continue with: