Connect Frona to your existing password manager so agents can access secrets from your vault. Once connected, agents request access through the approval flow. They never get direct access to your vault.

Two ways to connect

• Through the UI. Add a connection from the vault management page. Good for trying things out or managing connections one at a time.
• Through environment variables. Set configuration in your deployment so the vault connects automatically on startup. Best for production deployments.

Connections configured via environment variables are marked as system-managed and sync automatically when the server restarts.

Setting up 1Password

1Password connects via a service account token.

Step by step:

1. In 1Password, go to Settings → Integrations → Service Accounts
2. Create a new service account and grant it access to the vaults your agents need
3. Copy the service account token
4. Add to your config:

   FRONA_VAULT_ONEPASSWORD_SERVICE_ACCOUNT_TOKEN: "your-service-account-token"
   FRONA_VAULT_ONEPASSWORD_VAULT_ID: "your-vault-id"  # optional, limits which vault to search

5. Restart Frona. The connection appears automatically in the vault management page.

Setting up Bitwarden

Bitwarden connects via the CLI using API credentials.

FRONA_VAULT_BITWARDEN_CLIENT_ID: "your-client-id"
FRONA_VAULT_BITWARDEN_CLIENT_SECRET: "your-client-secret"
FRONA_VAULT_BITWARDEN_MASTER_PASSWORD: "your-master-password"
# For self-hosted Bitwarden:
# FRONA_VAULT_BITWARDEN_SERVER_URL: "https://bitwarden.example.com"

Get your API credentials from Bitwarden's web vault under Settings → Security → Keys → API Key.

Setting up HashiCorp Vault

Connects directly via the HashiCorp Vault API.

FRONA_VAULT_HASHICORP_ADDRESS: "http://localhost:8200"
FRONA_VAULT_HASHICORP_TOKEN: "your-vault-token"
# FRONA_VAULT_HASHICORP_MOUNT: "secret"  # optional, defaults to "secret"

Setting up KeePass

Opens a local KeePass database file.

FRONA_VAULT_KEEPASS_PATH: "/path/to/database.kdbx"
FRONA_VAULT_KEEPASS_PASSWORD: "your-master-password"

The .kdbx file must be accessible from the Frona server.

Setting up Keeper

Connects to Keeper's cloud-based secrets management.

FRONA_VAULT_KEEPER_APP_KEY: "your-app-key"
# FRONA_VAULT_KEEPER_SERVER: "custom-server"  # optional

Managing connections

Once a vault is connected, you can:

• Test the connection to verify it's working
• Enable/disable a connection without removing it
• Search for items within a connected vault
• Remove a connection entirely

How credentials reach agents

When an agent's credential request is approved, the platform retrieves the secret from the vault and delivers it as environment variables. The env_var_prefix in the request determines the variable names.

For example, with prefix GITHUB:

• GITHUB_USERNAME. The username field.
• GITHUB_PASSWORD. The password field.
• Custom fields become GITHUB_{FIELD_NAME}

This means agents and apps receive credentials as environment variables without ever seeing raw vault data in conversation.

Troubleshooting

• "Connection failed". Check that the credentials (token, password, etc.) are correct and the vault server is reachable from the Frona server.
• "No items found". The service account or API key may not have access to the vault/folder you're searching. Check permissions in your password manager.
• "Vault not connecting on startup". Verify that all required environment variables are set. Missing a required variable (like the token) silently skips the connection.
• Credentials not updating. Vault data is fetched fresh on each approved request. If you updated a secret in your vault, the agent gets the new value on its next access.

Tips

• Use 1Password or Bitwarden for personal use. They're the easiest to set up with service accounts.
• Use HashiCorp Vault for infrastructure. It's the best fit for teams with existing infrastructure automation.
• Test the connection after setup. Use the "Test" button in the vault management page to verify everything works before agents try to use it.
• Scope access narrowly. In your password manager, give the service account access only to the vaults/folders agents need, not your entire password database.

Next steps

• Managing Secrets & API Keys. The approval flow and grant management.
• Building & Deploying Apps. Apps can request credentials too.