Skip to main content
OneCLI is an open-source credential and policy layer for AI agents. Store credentials once, inject them at request time, and control what your agents can do. Your agents never see the keys. Under the hood, OneCLI runs a transparent proxy that intercepts outgoing HTTP requests, checks them against your rules, injects credentials from an encrypted vault, and forwards them to the right service. No code changes needed. Manage everything from the web dashboard.

How it works

onecli: Agent Vault

Run OneCLI as a Docker container. Point your agent’s HTTP traffic through it. OneCLI checks rules, injects stored credentials, and forwards requests to the target service. Your agent code doesn’t change at all.
docker run --pull always -p 10254:10254 -p 10255:10255 -v onecli-data:/app/data ghcr.io/onecli/onecli
The Agent Vault goes beyond secrets storage. Credentials are AES-256-GCM encrypted at rest and injected per-request. Your agents never hold raw API keys. On top of that, rules let you block operations, rate-limit sensitive actions, and scope access per agent. The web dashboard lets you manage agents, secrets, rules, and audit logs from one place.

Get started

Quickstart

Set up OneCLI and connect your first service in minutes.

How it works

Platform architecture: proxy, vault, rules, dashboard, and how the pieces fit together.

Rules

Block operations, rate-limit actions, and scope access per agent.

SDKs

Language SDKs for integrating with OneCLI programmatically.

Beyond secrets management

Why traditional vaults aren’t enough for AI agents.

Why we built this

skill + cli > mcp. The philosophy behind OneCLI.