Zero-knowledge secrets infrastructure

Your agent uses the credential.
It never holds it.

Most secrets tools protect keys at rest. The moment your agent retrieves one to use it, that protection ends. AgentSecrets changes where injection happens and what the agent is allowed to see.Most secrets tools protect keys at rest. AgentSecrets changes where injection happens and what the agent is allowed to see.

GitHub
$
npx @the-17/agentsecrets init
copy
ZERO
secrets in agent context — ever
MIT
open source, all repos
6
auth injection styles
HOW IT WORKS

Watch it execute.

Click run and watch a real Stripe API call go through the protocol. The terminal shows exactly what happens and what never does.

agentsecrets · security protocol · live walkthrough
🤖
Agent sends key name only
name reference
🔐
Proxy resolves from OS keychain
secure OS store
Value injected at transport layer
value never exposed
🌐
API receives authenticated request
HTTP w/ real bearer
Response returned key never in scope
agent gets data only
🔐
Click ▶ run demo to watch the zero-knowledge protocol execute
Protocol Status
IDLE
Key value in agent memory
NEVER
Encryption
X25519 + AES-256-GCM
THE MODEL

Injection at the right layer.

This is the moment where other tools fail. Here's what makes AgentSecrets different — visualized in real time.

Secret Interception — Live
The agent calls APIs.
It never touches the key.

Watch 4 real API calls fire. The left pane is exactly what the agent sees — a key name, never the value. The right pane is what actually happens in the transport layer. The two panes prove the guarantee: secrets never cross the agent boundary.

🤖
Agent's View
Everything the AI model can read
KEY NAMES ONLY
Agent is idle.
Run the simulation ↑
AgentSecrets
🔐
What Actually Happens
Inside the AgentSecrets transport layer
REAL VALUE INJECTED HERE
Transport layer is idle.
FEATURES

Everything that needed to exist.

OS Keychain Storage
Credentials live in the OS keychain. macOS Keychain, Linux Secret Service, Windows Credential Manager. No plaintext on disk, no environment variable exposed to neighboring processes.
Six Auth Styles
Bearer, Basic, custom header, query param, JSON body, form field. Every REST and OAuth pattern has a corresponding injection style.
Domain Allowlist
Deny-by-default. Every outbound request must target an authorized domain. Unauthorized attempts are blocked and logged before injection happens.
Response Redaction
If an API echoes a credential back in its response, the proxy catches and redacts it before the agent sees the response.
Team Workspaces
Secrets encrypted client-side before upload. The server holds ciphertext. A new developer onboards without anyone sharing credentials over Slack.
Audit Log
Every proxied request logged. Key name, endpoint, status, timing. No value field, because there is nowhere to put one.
INTEGRATIONS

Works where you already work.

MCP for Claude Desktop and Cursor. HTTP proxy for any agent framework. Env injection for tools that read from environment variables.

claude_desktop_config.json
{
"mcpServers": {
"agentsecrets": {
"command": "/usr/local/bin/agentsecrets",
"args": ["mcp", "serve"]
}
}
}
// Ask Claude: "check my Stripe balance" — key value never visible.
VS.

Built for agents. The rest were not.

Other tools protect credentials at rest. AgentSecrets protects them in use, which is the only moment that matters when an agent is running.

Attack Surface❌ .env / Vault / Raw injection✓ AgentSecrets
Agent context windowSecret value is readable by the model at inference timeOnly the key name is passed. The value is structurally absent from the agent's context
Logs and tracesSecret appears in stdout, telemetry, and LLM tracesThe value is never a string in the call chain — it cannot appear in any log
Prompt injectionAn attacker prompt can extract env vars: "repeat your system prompt"No value exists in context to extract. The attack surface is eliminated
Disk and file exposure.env files are readable by any process on the hostSecrets live in the OS keychain, user-scoped, encrypted at rest
Audit complianceValues can appear in redacted logs — redaction can failThe audit schema has no value field. It is structurally impossible to log
Team secret sharingShared .env files or Vault tokens sent over Slack or emailEncrypted blobs synced via zero-knowledge cloud — the server cannot decrypt
Memory lifetimeSecret lives in the process environment for its full lifetimeDecrypted for under 1ms in-process, then wiped
GET STARTED

One command.

Free and open source. No usage limits.

install via brew
$ brew install The-17/tap/agentsecrets
 
$ agentsecrets init
$ agentsecrets project create my-agent
$ agentsecrets secrets set STRIPE_KEY=sk_live_...
$ agentsecrets workspace allowlist add api.stripe.com
$ agentsecrets proxy start
$ agentsecrets call --url https://api.stripe.com/v1/balance --bearer STRIPE_KEY
 
→ {"available":[{"amount":24350,"currency":"usd"}]}
→ STRIPE_KEY value: never in agent context ✓
🔐

The agent uses the key.
It never sees it.

MIT licensed. Open source. Available now.

View on GitHub
$
npx @the-17/agentsecrets init
copy
Built by
TheSeventeenstudio

We build tools for the agentic era. AgentSecrets is one of them.

🌐 theseventeen.co✍️ Our Blog