Skip to main content

Backend Integration

Vaultkit isn’t just for user-facing applications. You can also use it for:
  • Internal agents (backend services that act on behalf of users)
  • Scheduled jobs (automated tasks that need to call external APIs)
  • Multi-tenant systems (per-user vault provisioning on the server)
The key difference from user-facing flows is that there’s no UI component layer—you’re managing vaults and connections directly.

Pre-configured vaults (simplest)

If you have a static vault already set up in the Vaultkit dashboard, you can connect directly without any UI. For an introduction to vaults and how they work, see Core Concepts. 
import { createVaultkitClient } from "@vaultkit/ai-sdk";

// Backend service connecting to a pre-configured vault
const vaultkit = createVaultkitClient({
  apiKey: process.env.VAULTKIT_API_KEY,
  userId: "user_123", // the end user this action is on behalf of
  vaultId: "vault_abc123", // your pre-configured vault
});

await vaultkit.connect();

// vaultkit.tools is now ready to use with your LLM or directly
console.log(`Connected. Found ${vaultkit.tools.length} tools.`);

// Use tools directly or pass to your LLM runtime
const result = await vaultkit.tools[0].execute({ /* params */ });

Dynamic vault provisioning (per-user)

For multi-tenant systems where each user gets their own vault, use feature mappings: 
import { createVaultkitClient } from "@vaultkit/ai-sdk";

async function provisionUserVault(userId: string) {
  const vaultkit = createVaultkitClient({
    apiKey: process.env.VAULTKIT_API_KEY,
    userId: userId,
    featureMappingId: "feat_internal_automation", // your feature template
  });

  await vaultkit.connect();

  // Vaultkit automatically created/found a vault for this user
  return vaultkit.tools;
}
The first time a user connects, Vaultkit creates a vault from the feature mapping. Subsequent calls reuse the existing vault.

Restricting providers and scopes

You can further limit which providers or permissions a vault has: 
const vaultkit = createVaultkitClient({
  apiKey: process.env.VAULTKIT_API_KEY,
  userId: "user_456",
  featureMappingId: "feat_automation",
  selectedProviders: ["gmail", "slack"], // only enable these two
  selectedScopes: ["read"], // read-only access
});

await vaultkit.connect();
This is useful for:
  • Least privilege: Only enable the providers a job actually needs
  • Customer restrictions: Limit what an agent can do for a particular user
  • Testing: Create isolated vaults with limited permissions

Example: Scheduled email automation

import { createVaultkitClient } from "@vaultkit/ai-sdk";
import { generateText } from "ai";
import { openai } from "@ai-sdk/openai";

async function dailyEmailDigest(userId: string) {
  // Get tools for this user's vault
  const vaultkit = createVaultkitClient({
    apiKey: process.env.VAULTKIT_API_KEY,
    userId: userId,
    vaultId: "vault_email_digest", // pre-configured vault for this job
  });

  await vaultkit.connect();

  // Use with Vercel AI SDK to generate an email
  const { text } = await generateText({
    model: openai("gpt-4"),
    tools: vaultkit.tools,
    prompt: "Create a daily digest of unread emails and send a summary.",
  });

  console.log(`Digest sent for user ${userId}`);
  return text;
}

// Run daily via cron, GitHub Actions, etc.
await dailyEmailDigest("user_789");

Error handling

Backend flows should handle disconnections and retries: 
import { AuthenticationError, ConnectionError } from "@vaultkit/ai-sdk";

try {
  const vaultkit = createVaultkitClient({
    apiKey: process.env.VAULTKIT_API_KEY,
    userId: userId,
    vaultId: vaultId,
    retries: 5, // more retries for reliability
    timeout: 60000, // longer timeout for batch jobs
  });

  await vaultkit.connect();
} catch (error) {
  if (error instanceof AuthenticationError) {
    console.error("Invalid API key or vault ID");
    // Handle auth failure (don't retry)
  } else if (error instanceof ConnectionError) {
    console.error("Network error - may retry");
    // Retry logic here
  }
}

Logging and observability

For backend services, enable detailed logging: 
const vaultkit = createVaultkitClient({
  apiKey: process.env.VAULTKIT_API_KEY,
  userId: userId,
  vaultId: vaultId,
  log: (level, message, data) => {
    // Send to your observability stack (DataDog, New Relic, etc.)
    console.log(`[vaultkit:${level}] ${message}`, data);
  },
});

No UI components needed

Backend flows don’t use FeatureSelect, AuthComponent, or VaultkitProvider. Manage everything programmatically with createVaultkitClient directly. For more configuration options, see SDK Configuration.