v01234567890.01234567890.01234567890github: 01234567890 starssecrets stored: 01234567890MIT

Zero-Knowledge Credentials for AI Agents:Secure credential infrastructure without exposing raw values at any step.

MODEL

Every secrets tool built before the agentic era was designed around the same assumption: the application is trusted.

Store the credential securely, retrieve it at runtime, use it. That model worked because applications do exactly what their code says. They cannot be redirected by a malicious instruction embedded in a document they process. The assumption of trust was reasonable, and the infrastructure built on it reflects that.

AI agents are not applications. The coding assistant reading your codebase right now can also read your .env file. The agent you are deploying into production processes untrusted content and acts on what it finds. In both cases, the moment a credential value exists anywhere in the agent's context — in memory, in a file it can access, in an environment it can read — the old model's job is done and the exposure has already begun.

The developers who feel this most acutely are building the most capable agents and working with the most powerful AI assistants. The more the agent can do, the more it matters where the credential lives when it does it.

AgentSecrets is a zero-knowledge credential infrastructure built for the AI-agent era. It secures the full lifecycle of credential usage — storing, syncing across environments and teams, detecting drift, and auditing every call — while ensuring the credential value itself never enters the agent's context. Whether you are shipping an autonomous agent or building with an AI coding assistant, the agent uses credentials it was never given.

WORKFLOW

The agent lifecycle,
without exposure.

1Store Credentials

$ agentsecrets secrets set OPENAI_API_KEY=sk_...

Encrypted locally. Stored in zero-knowledge vault.

The agent managed the complete workflow autonomously. No credential value appeared at any step.

Store Credentials

Sync Environments

Detect Drift

Switch Environments

Execute Calls

Audit Logs

$ agentsecrets secrets set OPENAI_API_KEY=sk_...

Encrypted locally. Stored in zero-knowledge vault.

Executing autonomous lifecycle management without context exposure.

$ agentsecrets secrets pull

Synced 3 secrets from cloud to OS keychain.

Executing autonomous lifecycle management without context exposure.

$ agentsecrets secrets diff

Only local: NEW_KEY Only remote: DEPRECATED_KEY Differs: DATABASE_URL

Executing autonomous lifecycle management without context exposure.

$ agentsecrets environment switch production

Switched to production.

Executing autonomous lifecycle management without context exposure.

$ agentsecrets call --url api.stripe.com/v1/balance --bearer STRIPE_KEY

{"object":"balance","available":[{"amount":420000,"currency":"usd"}]}

Executing autonomous lifecycle management without context exposure.

$ agentsecrets proxy logs --watch

14:23:01 GET api.stripe.com/v1/balance STRIPE_KEY 200 245ms

The agent managed the complete workflow autonomously. No credential value appeared at any step.

FEATURES

OS Keychain Storage

Credentials reside securely within the native OS keychain—macOS Keychain, Linux Secret Service, or Windows Credential Manager. Plaintext is never written to disk, and no environment variable is exposed for neighboring processes to scrape.

Zero-Knowledge Proxy

All credentialed traffic routes through a secure proxy. Keys are resolved from the keychain and injected at the transport layer, returning only the API response to the agent. Value exposure is prevented in memory, logs, and CLI execution.

Layered Enforcement

Requests pass through a multi-stage pipeline before key resolution. Agent capabilities restrict credential access, the domain allowlist controls outbound destinations, and secrets policies define usage rules. Each enforcement layer is independent, composable, and extensible.

Secrets Policy

Define granular usage rules for individual credentials—restricting target endpoints, HTTP methods, and response behavior. Policies can block unauthorized requests or trigger interactive developer approval. This is credential-level governance built for autonomous agent workflows.

Agent Identity & Capabilities

Bind agents and workflows to unique cryptographic identities. Scope access permissions to specific projects, environments, and credentials. All execution is cryptographically attributed to a verified identity, eliminating the risks of shared wildcard API keys.

Forensic Audit Log

Capture immutable snapshots of the complete system state at the millisecond of execution. Logs record the active allowlists, agent capabilities, secrets policies, and specific pipeline decisions. Instantly verify log integrity or replay events for forensic audit.

Response Redaction

Prevent credentials from leaking through downstream outputs. If an external API echoes a secret back in its payload, the proxy dynamically redacts it before delivery. The zero-knowledge architecture protects both outbound requests and incoming responses.

Team Workspaces

Encrypt credentials client-side before cloud synchronization so the server holds only unreadable ciphertext. Onboard developers seamlessly without sharing plaintext credentials over Slack, email, or chat, keeping your configuration files completely zero-disk.

Anti-Impersonation Keychain Auth

Restrict keychain access using kernel-level process verification, validating parent PIDs, binary paths, and SHA-256 signatures. Unauthorized scripts, background malware, and rogue tooling are blocked from querying credentials even if running on the same host.

Zero trust.
Absolute security.

AgentSecrets provides a zero-knowledge credential infrastructure for AI agents, enforcing layered governance policies and transient injection. Your keys never touch the agent's context.

01234567890

Secrets Stored

01234567890

GitHub Stars

01234567890

Active Projects

01234567890

Requests Handled

PLATFORM — INTEGRATION

Use Agent Secrets in the
way that fits your stack

Native OpenClaw Support

AgentSecrets ships as a native exec provider for OpenClaw's SecretRef system. When your workflow references a credential, OpenClaw calls the AgentSecrets binary directly to resolve it. The value is injected at execution time and never written to any OpenClaw config file.

openclaw skill install agentsecrets
 
# Or the exec provider directly:
agentsecrets exec
 
# agentsecrets reads SecretRef from stdin,
# resolves the value, injects it.
# The calling OpenClaw skill never sees the value.

PLATFORM — BUILD ON AGENT SECRETS

Make Agent Secrets
part of your product

Use Agent Secrets as the base, then extend it to build the secure credentials infrastructure your product needs.

SDKs & TOOLS

Integrate at the runtime layer

Integrate AgentSecrets directly into your application logic using our client libraries.

Native Python SDK

Secure your agent's integrations at the runtime layer. The Python SDK transparently hooks HTTP clients to the governance proxy, preventing prompt injection leaks without changing your application code.

Modern JS/TS SDK

Integrate zero-knowledge secret injection into Node.js or Bun agent frameworks like LangChain. Credentials are resolved at the transport layer, never in-memory.

ECOSYSTEM

Built on Agent Secrets

Explore tools and platforms built on top of our secure credentials infrastructure.

Zero-knowledge MCP

Build and run Model Context Protocol (MCP) servers where credential values never enter the server's process memory. API keys are injected at the transport layer by the local proxy during outbound tool calls.

Enterprise Dashboard

A premium interface to manage workspaces, rotated secrets, and real-time audit logs. Complete visibility into your agent's security posture.

SUPPORT

Frequently Asked
Questions

Zero. Setup is virtually instantaneous. You can initialize the infrastructure in exactly 10 seconds with a single command: `npx @the-17/agentsecrets init`. There are no configuration files to manage, no SDK code modifications required, and no custom networking needed. It sits silently under your application process layer. You keep writing your code exactly as you do today.

AI coding assistants and local LLMs are fully capable of reading files within your workspace, including raw `.env` files containing highly sensitive production API keys. By migrating your `.env` values to AgentSecrets, your local workspace contains zero plaintext credentials. When your code runs, the values are securely fetched from your OS keychain and injected at runtime. Your coding assistant can read your entire workspace, edit your files, and execute helper tasks, but it is physically blind to your raw secrets.

Traditional secrets managers load credentials into process memory or environment variables, which can be easily extracted by an LLM via prompt injection. AgentSecrets uses a local loopback HTTP proxy. Your agent workflows or MCP servers reference keys only by their name (e.g., GITHUB_TOKEN). The local proxy intercepts outbound HTTP requests, fetches the credential from the OS keychain, injects it into the request header at the transport layer, and forwards the request. The agent process only receives the final API response—the raw key value never enters the agent's memory or context.

Standard OS keychains allow any process running under your user session to query and retrieve credentials without sandboxing. AgentSecrets integrates with a connection-bound security daemon (keychain-auth) that uses kernel-level process verification (e.g., SO_PEERCRED on Linux, LOCAL_PEERPID on macOS). It retrieves the caller's true PID, resolves its executable path, verifies its SHA-256 binary hash against a user-approved database, and enforces strict namespace permissions. Unapproved scripts or background malware are blocked from accessing your keys.

Because the AgentSecrets proxy runs entirely on the loopback interface (localhost), there is zero network transit latency. Resolving credentials from the local OS keychain and performing transport-layer injection introduces a negligible overhead of less than 2-3 milliseconds per request. This is virtually imperceptible compared to the round-trip latency of LLM APIs or upstream network requests.

Yes. Every project in AgentSecrets is pre-configured with three isolated environments: development, staging, and production. You can scope your credentials (e.g., STRIPE_KEY) specifically to any of these three environments. The local proxy automatically enforces boundaries, preventing local development runs or test agents from accidentally calling production endpoints or injecting production-level keys, keeping your test and live environments strictly separated.

When syncing secrets across a team, credentials are encrypted client-side using NaCl SealedBox (Curve25519) public-key cryptography before being sent to the sync server. The server stores only the encrypted ciphertext. Since the sync server never holds the private key or the plaintext credentials, a compromise of the sync server infrastructure yields zero readable secrets. New team members can onboard and fetch workspace configurations seamlessly without keys ever being exposed in plaintext.

AgentSecrets is designed local-first: all credential resolution, anti-impersonation process checks, and local transport-layer proxy injections occur entirely on your local machine (using loopback interfaces and your secure OS keychain). This local pipeline runs completely offline. However, the system relies on the secure API backend server for coordination tasks: user authentication, workspace synchronization, key rotation policies, and issuing verifiable cryptographic agent tokens for remote or containerized agent runtimes.

Yes. AgentSecrets is framework-agnostic. Because it injects credentials at the transport layer via a local HTTP proxy, any tool, library, or language that can route HTTP traffic through a proxy is supported. This includes LangChain, CrewAI, AutoGen, LlamaIndex, the official OpenAI and Anthropic SDKs, or even a simple curl command in bash.