diff --git a/.env.example b/.env.example
index 0e3e131..1b0b61d 100644
--- a/.env.example
+++ b/.env.example
@@ -47,3 +47,9 @@
# where TIER ∈ AUTH | PROXY | AUTHED | GLOBAL
# and KNOB ∈ RATE | BURST | WINDOW | MAX | CONCURRENCY. Example:
# AGENT_VAULT_RATELIMIT_PROXY_BURST=50
+
+# Installer (install.sh only — not read by the server or CLI binary).
+# Set to any non-empty value to disable the anonymous install/upgrade beacon.
+# Must be passed to `sh`, not `curl`:
+# curl -fsSL https://get.agent-vault.dev | AGENT_VAULT_NO_TELEMETRY=1 sh
+# AGENT_VAULT_NO_TELEMETRY=1
diff --git a/docs/installation.mdx b/docs/installation.mdx
index 825ad8d..194c16c 100644
--- a/docs/installation.mdx
+++ b/docs/installation.mdx
@@ -13,11 +13,19 @@ Agent Vault ships as a single binary that acts as both a server and CLI client.
Works for both fresh installs and upgrades (backs up your database before upgrading).
```bash
- curl -fsSL https://raw.githubusercontent.com/Infisical/agent-vault/main/install.sh | sh
+ curl -fsSL https://get.agent-vault.dev | sh
```
Supports macOS (Intel + Apple Silicon) and Linux (x86\_64 + ARM64).
+
+ On a successful install the script sends an anonymous ping (OS, architecture, version — nothing else) so we can count installs for the launch. Opt out by placing `AGENT_VAULT_NO_TELEMETRY=1` in front of `sh`, not `curl`:
+
+ ```bash
+ curl -fsSL https://get.agent-vault.dev | AGENT_VAULT_NO_TELEMETRY=1 sh
+ ```
+
+
No build tools required. Pull the image and run:
@@ -73,7 +81,7 @@ cosign verify-blob \
Re-run the same install command — the script detects your existing installation, stops the running server, backs up your database, and installs the latest version:
```bash
- curl -fsSL https://raw.githubusercontent.com/Infisical/agent-vault/main/install.sh | sh
+ curl -fsSL https://get.agent-vault.dev | sh
```
Restart the server afterward:
diff --git a/docs/reference/cli.mdx b/docs/reference/cli.mdx
index 1f12b55..ebb5c47 100644
--- a/docs/reference/cli.mdx
+++ b/docs/reference/cli.mdx
@@ -968,3 +968,11 @@ Manage the master password that wraps the data encryption key (DEK). All command
Print the version and build information.
+
+## Installer
+
+The [`install.sh`](https://github.com/Infisical/agent-vault/blob/main/install.sh) script (`curl -fsSL https://get.agent-vault.dev | sh`) is not part of the `agent-vault` binary but reads one environment variable:
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `AGENT_VAULT_NO_TELEMETRY` | (unset) | When set to any non-empty value, skips the anonymous install/upgrade beacon (OS, architecture, version — nothing else). Must be placed in front of `sh`, not `curl`: `curl -fsSL https://get.agent-vault.dev \| AGENT_VAULT_NO_TELEMETRY=1 sh`. |
diff --git a/docs/self-hosting/environment-variables.mdx b/docs/self-hosting/environment-variables.mdx
index 94ac61e..eccfe2e 100644
--- a/docs/self-hosting/environment-variables.mdx
+++ b/docs/self-hosting/environment-variables.mdx
@@ -28,6 +28,14 @@ Master password resolution order:
Never put `AGENT_VAULT_MASTER_PASSWORD` in Dockerfiles, committed `.env` files, or shell history. Use secret management features of your deployment platform (e.g., `fly secrets set`, Docker secrets, or your CI/CD provider's secret store).
+## Installer
+
+Read by [`install.sh`](https://github.com/Infisical/agent-vault/blob/main/install.sh) only — not by the server or the CLI binary.
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `AGENT_VAULT_NO_TELEMETRY` | (unset) | When set to any non-empty value, skips the anonymous install/upgrade beacon that reports OS, architecture, and version. Must be placed in front of `sh`, not `curl`: `curl -fsSL https://get.agent-vault.dev \| AGENT_VAULT_NO_TELEMETRY=1 sh`. |
+
## Email SMTP configuration
Configure SMTP to enable Agent Vault to send emails for verification codes, vault invites, and notifications.
diff --git a/docs/self-hosting/local.mdx b/docs/self-hosting/local.mdx
index 25b0ce3..21afbf8 100644
--- a/docs/self-hosting/local.mdx
+++ b/docs/self-hosting/local.mdx
@@ -8,11 +8,19 @@ description: "Install and run Agent Vault on Linux or macOS using the install sc
Auto-detects your OS and architecture, downloads the latest release, and installs. Works for both fresh installs and upgrades.
```bash
-curl -fsSL https://raw.githubusercontent.com/Infisical/agent-vault/main/install.sh | sh
+curl -fsSL https://get.agent-vault.dev | sh
```
Supports macOS (Intel + Apple Silicon) and Linux (x86\_64 + ARM64).
+
+ On a successful install the script sends an anonymous ping (OS, architecture, version — nothing else) so we can count installs for the launch. Opt out by placing `AGENT_VAULT_NO_TELEMETRY=1` in front of `sh`, not `curl`:
+
+ ```bash
+ curl -fsSL https://get.agent-vault.dev | AGENT_VAULT_NO_TELEMETRY=1 sh
+ ```
+
+
Verify the installation:
```bash
@@ -114,9 +122,17 @@ See the [CLI reference](/reference/cli#ca) for all `agent-vault ca fetch` flags.
Re-run the same install command — the script detects your existing installation, stops the running server, backs up your database, and installs the latest version:
```bash
-curl -fsSL https://raw.githubusercontent.com/Infisical/agent-vault/main/install.sh | sh
+curl -fsSL https://get.agent-vault.dev | sh
```
+
+ On a successful upgrade the script sends the same anonymous ping (OS, architecture, version). Opt out by placing `AGENT_VAULT_NO_TELEMETRY=1` in front of `sh`, not `curl`:
+
+ ```bash
+ curl -fsSL https://get.agent-vault.dev | AGENT_VAULT_NO_TELEMETRY=1 sh
+ ```
+
+
Restart the server afterward:
```bash
diff --git a/install.sh b/install.sh
index 9027a03..c68580f 100755
--- a/install.sh
+++ b/install.sh
@@ -2,10 +2,14 @@
set -e
# Agent Vault installer
-# Usage: curl -fsSL https://raw.githubusercontent.com/Infisical/agent-vault/main/install.sh | sh
+# Usage: curl -fsSL https://get.agent-vault.dev | sh
#
# Supports: macOS (Intel + Apple Silicon), Linux (amd64 + arm64)
# Works for both fresh install and upgrade.
+#
+# Privacy: on successful install, sends an anonymous ping with OS, arch,
+# and version only — no identifiers, no IP retention. Opt out with:
+# curl -fsSL https://get.agent-vault.dev | AGENT_VAULT_NO_TELEMETRY=1 sh
REPO="Infisical/agent-vault"
INSTALL_DIR="/usr/local/bin"
@@ -156,7 +160,7 @@ main() {
INSTALLED_VERSION="$(agent-vault version 2>/dev/null || echo "")"
if [ -z "$INSTALLED_VERSION" ]; then
warn "Could not verify installed binary."
- if [ -n "$EXISTING_VERSION" ]; then
+ if [ -n "$BACKUP_FILE" ]; then
warn "A database backup was saved at: ${BACKUP_FILE}"
fi
error "Installation may have failed. Check that ${INSTALL_DIR} is in your PATH."
@@ -167,7 +171,9 @@ main() {
if [ -n "$EXISTING_VERSION" ] && [ "$EXISTING_VERSION" != "unknown" ]; then
info "Upgraded from ${EXISTING_VERSION}"
- info "Database backup: ${BACKUP_FILE}"
+ if [ -n "$BACKUP_FILE" ]; then
+ info "Database backup: ${BACKUP_FILE}"
+ fi
fi
if [ "$SERVER_WAS_RUNNING" = true ]; then
@@ -176,6 +182,16 @@ main() {
info "Run 'agent-vault server' to start it again."
info "Database migrations (if any) will run automatically on startup."
fi
+
+ # Anonymous completion beacon. No PII, no identifiers.
+ # Opt out: AGENT_VAULT_NO_TELEMETRY=1
+ if [ -z "$AGENT_VAULT_NO_TELEMETRY" ]; then
+ EVENT="install"
+ if [ -n "$EXISTING_VERSION" ] && [ "$EXISTING_VERSION" != "unknown" ]; then
+ EVENT="upgrade"
+ fi
+ curl -fsS -m 3 "https://get.agent-vault.dev/ok?os=${OS}&arch=${ARCH}&v=${LATEST}&event=${EVENT}" >/dev/null 2>&1 || true
+ fi
}
main "$@"
diff --git a/web/src/pages/Register.tsx b/web/src/pages/Register.tsx
index 6aec443..9ca7fd5 100644
--- a/web/src/pages/Register.tsx
+++ b/web/src/pages/Register.tsx
@@ -63,7 +63,7 @@ function InviteOnlyNotice() {
);
}
-const INSTALL_COMMAND = "curl -fsSL https://raw.githubusercontent.com/Infisical/agent-vault/main/install.sh | sh";
+const INSTALL_COMMAND = "curl -fsSL https://get.agent-vault.dev | sh";
function CommandBlock({ command }: { command: string }) {
const [copied, setCopied] = useState(false);