# Getting Started

toani Vault is toani.ai's zero-trust credential vault, providing AI Agents with TEE-isolated credential storage and browser automation capabilities. This guide covers two phases: pre-setup (Web console operations) and SDK integration (writing code).

## Pre-Setup: Complete Three Steps in Web Console

Before writing code, complete the following preparation in the toani Vault Web console.

### Step 1: Login to Console

Visit the toani Vault console address (provided by your administrator). Enter username and password on the login page; after successful login, you are automatically taken to the dashboard.

> For first-time deployment, use the administrator-assigned account to login. If you need to reset your password, contact your system administrator.

### Step 2: Create Credentials

Go to the **Credential Management** page and click **Create Credential**, then fill in:

* **Service ID**: Unique identifier for the service the credential belongs to, for example `schwab`, `github`, `mybank`
* **Credential Type**: Choose from the table below
* **Credential Content**: Fill in corresponding fields based on type
* **Expiration** (optional)

**Supported credential types:**

| Credential Type       | Use Case                                                                                              | Required Fields                                    |
| --------------------- | ----------------------------------------------------------------------------------------------------- | -------------------------------------------------- |
| `username_password`   | Website account passwords                                                                             | `username`, `password`                             |
| `api_key`             | Developer platform keys                                                                               | `key`, optional `secret`                           |
| `oauth_token`         | OAuth authorization tokens                                                                            | `refresh_token`                                    |
| `certificate`         | TLS client certificates                                                                               | `certificate` (PEM), optional `private_key`        |
| `ssh_key`             | SSH login keys                                                                                        | `ssh_key`                                          |
| `database_connection` | Database connections                                                                                  | `host`, `port`, `database`, `username`, `password` |
| `zkme_credential`     | zkMe-issued W3C Verifiable Credentials (zkKYC, MeID, zkPoL, zkPoA, zkPoAI, AMLMe, zkKYB, zkKYA, etc.) | `credential_json`, `did`                           |

**zkme\_credential field reference**:

* `credential_json` (object): complete W3C Verifiable Credential JSON with `@context`, `type`, `issuer`, `issuanceDate`, `credentialSubject`, `proof`, and other standard fields
* `did` (string): the user's decentralized identifier
* `zk_proof` (string, optional): zero-knowledge proof generated by zkMe (content varies by credential type)
* `credential_type` (string, optional): zkMe internal credential classification, e.g. `"zkKYC"`, `"zkPoAI"`, `"AMLMe"`, `"zkKYA"`

After creation, record the credential ID (format: `018f1b4e-...`), which is needed when calling the SDK.

### Step Three: Generate API Token

Go to **Token Management**, select the required permission scope and validity period, and click **Generate Token**.

> **Important**: The token is displayed only once; copy and save it immediately.

**Scope permissions:**

| Scope                | Description                                                      |
| -------------------- | ---------------------------------------------------------------- |
| `credential:read`    | View credential metadata (not plaintext)                         |
| `credential:write`   | Create and delete credentials                                    |
| `credential:decrypt` | Decrypt credentials to view plaintext (includes read permission) |
| `audit:read`         | View audit logs                                                  |
| `admin`              | Full permissions                                                 |

The generated token starts with `v4.local.` (PASETO v4 format) and is passed as the `token` parameter when initializing the SDK.

## Next Steps

After pre-setup is complete, proceed to:

* [SDK Usage Guide](/toani-vault/getting-started/sdk.md) - Install SDK, manage credentials
* [CLI Usage Guide](/toani-vault/getting-started/cli.md) - Ops personnel manage credentials and configuration via command line
* [Sandbox Guide, WebSocket Section](/toani-vault/getting-started/sandbox.md) - Agents automatically execute web operations
* [API Reference](/toani-vault/getting-started/api-reference.md) - Complete HTTP endpoint list


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.toani.ai/toani-vault/getting-started.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.