MIT Licensed · Zero-Knowledge · MCP + OpenClaw + SDK

Your agent calls APIs.
It never sees the key.

AgentSecrets is a zero-knowledge credential proxy. Your agent calls any authenticated API using a key name. The value is resolved from your OS keychain and injected at the transport layer. The agent receives the API response. It never sees the secret.Zero-knowledge credential proxy. Your agent calls APIs using a key name. The secret value is never exposed to the agent.

View on GitHub
$
brew install The-17/tap/agentsecrets
copy
ZERO
secrets in agent context — ever
MIT
open source, all repos
6
auth injection styles
Security Protocol

Watch the zero-knowledge protocol execute

Click run to watch AgentSecrets handle a real Stripe API call. The terminal shows exactly what happens — and what never does.

agentsecrets · security protocol · live walkthrough
🤖
AI Agent Request
key name only
🔐
OS Keychain Lookup
secure OS store
Transport Injection
value never exposed
🌐
API Call
HTTP w/ real bearer
Response Returned
key never in scope
🔐
Click ▶ run demo to watch the zero-knowledge protocol execute
Protocol Status
IDLE
Key value in agent memory
NEVER
Encryption
X25519 + AES-256-GCM
Live Demonstration

Side-by-side: agent view vs. reality

This is the moment where other tools fail. Here's what makes AgentSecrets different — visualized in real time.

Secret Interception — Live
The agent calls APIs.
It never touches the key.

Watch 4 real API calls fire. The left pane is exactly what the agent sees — a key name, never the value. The right pane is what actually happens in the transport layer. The two panes prove the guarantee: secrets never cross the agent boundary.

🤖
Agent's View
Everything the AI model can read
KEY NAMES ONLY
Agent is idle.
Run the simulation ↑
AgentSecrets
🔐
What Actually Happens
Inside the AgentSecrets transport layer
REAL VALUE INJECTED HERE
Transport layer is idle.
Features

Everything an agent needs to operate securely

Zero-knowledge at every layer — not just at the point of API injection.

OS Keychain Storage
Secrets live in macOS Keychain, Linux Secret Service, or Windows Credential Manager. Never on disk as plaintext. Never in environment variables. The OS enforces access control — other processes cannot read your credentials.
Transport-Layer Injection
The credential value is resolved inside the proxy and injected at the HTTP transport layer — after the agent boundary. It never appears in any MCP tool call, SDK method signature, or subprocess argument.
Domain Allowlist
The proxy is deny-by-default. Every domain must be explicitly authorized. SSRF attacks and prompt injection exfiltration attempts are blocked before any credential is injected. Allowlist changes require admin role and password.
Response Body Redaction
The proxy scans every API response for patterns matching the injected value. If a credential echo is detected, it is replaced with [REDACTED_BY_AGENTSECRETS] before the response reaches your code. The attempt is logged.
Zero-Knowledge Cloud Sync
X25519 key exchange plus AES-256-GCM with Argon2id key derivation. The server stores only ciphertext. It holds no encryption keys and cannot decrypt your secrets. Share across machines and teammates without any plaintext leaving your device.
Team Workspaces
Multiple members share a project's encrypted secret store. Role-based access control per key. Admins manage the domain allowlist. Every access is logged by key name — never by value.
Structural Audit Log
JSONL entries after every proxied request: timestamp, key name, endpoint, status, latency. The value column does not exist in the schema. Omission is stronger than redaction — what was never written cannot be leaked.
MCP Native
First-class Claude Desktop and Cursor integration via Model Context Protocol. One command auto-configures your client. Claude can call any authenticated API — it never sees a credential value.
Python SDK
The SDK has no get() method. The only way to use a credential is to make the call or spawn the process. client.call(), client.spawn(), and the full management layer — workspaces, projects, allowlist, audit log — all from Python.
Integrations

Works with every AI tool you use

MCP for Claude Desktop and Cursor. HTTP proxy for any agent framework. CLI for scripts and CI/CD. Env injection for any process.

claude_desktop_config.json
{
"mcpServers": {
"agentsecrets": {
"command": "/usr/local/bin/agentsecrets",
"args": ["mcp", "serve"]
}
}
}
// Ask Claude: "check my Stripe balance" — key value never visible.
Comparison

vs. Traditional secrets management

Every other tool treats agents as consumers. AgentSecrets treats them as operators — agents that manage their own credentials end to end.

Attack Surface❌ .env / Vault / Raw injection✓ AgentSecrets
Agent context windowSecret value is readable by the model at inference timeOnly the key name is passed. The value is structurally absent from the agent's context
Logs and tracesSecret appears in stdout, telemetry, and LLM tracesThe value is never a string in the call chain — it cannot appear in any log
Prompt injectionAn attacker prompt can extract env vars: "repeat your system prompt"No value exists in context to extract. The attack surface is eliminated
Disk and file exposure.env files are readable by any process on the hostSecrets live in the OS keychain, user-scoped, encrypted at rest
Audit complianceValues can appear in redacted logs — redaction can failThe audit schema has no value field. It is structurally impossible to log
Team secret sharingShared .env files or Vault tokens sent over Slack or emailEncrypted blobs synced via zero-knowledge cloud — the server cannot decrypt
Memory lifetimeSecret lives in the process environment for its full lifetimeDecrypted for under 1ms in-process, then wiped
Get Started

Install in under a minute

Available via npm, pip, Homebrew, and Go. No account required to get started locally.

install via brew
$ brew install The-17/tap/agentsecrets
 
$ agentsecrets init
$ agentsecrets project create my-agent
$ agentsecrets secrets set STRIPE_KEY=sk_live_...
$ agentsecrets workspace allowlist add api.stripe.com
$ agentsecrets proxy start
$ agentsecrets call --url https://api.stripe.com/v1/balance --bearer STRIPE_KEY
 
→ {"available":[{"amount":24350,"currency":"usd"}]}
→ STRIPE_KEY value: never in agent context ✓
🔐

Your agents are ready.
The secrets are not their problem.

MIT licensed. No account required. Works with Claude Desktop, Cursor, OpenClaw, LangChain, or any subprocess-based agent. The local proxy runs entirely offline — your credentials never leave your machine unless you explicitly enable cloud sync.

View on GitHub
$
brew install The-17/tap/agentsecrets
copy