The Vault Built for AI Agents
Stop embedding raw API keys in your agent code. Issue scoped, short-lived tokens. Enforce human-in-the-loop approvals. Audit every credential access — automatically.
from agentsecretstore import AgentVaultvault = AgentVault( agent_key=os.environ["ASS_AGENT_KEY"])# Scoped token — expires in 1 hourapi_key = await vault.get_secret( "production/openai/OPENAI_API_KEY")# Raw key never leaves the vaultprint("Secret retrieved — agent has scoped access")How It Works
Four steps from setup to production
Agent Secret Store slots into any agentic stack in under five minutes. No infrastructure to manage.
Store
Drop secrets into namespaced vaults — API keys, OAuth tokens, database URLs. Envelope-encrypted with per-tenant KMS keys.
Scope
Issue short-lived agent tokens with path-level access. No agent ever sees the raw secret — only a time-limited token to retrieve it.
Approve
Route sensitive secret requests through human-in-the-loop approval. Set policies per namespace, per agent, or per environment.
Audit
Every access is logged with agent identity, timestamp, IP, and approval status. Export to SIEM or compliance tools in one click.
Works with every agent framework
Your stack. Your agents. Any runtime.
Native MCP server at mcp.agentsecretstore.com/sse — drop into any MCP host config.
Features
Built security-first, agent-native
Everything your agents need to handle credentials safely in production — without compromising speed or developer ergonomics.
Scoped Short-Lived Tokens
Agents never touch raw secrets. They receive time-limited, path-scoped tokens — automatically invalidated at expiry.
Human-in-the-Loop Approval
Flag high-risk namespaces for approval. Agents pause, humans approve in Slack or dashboard, agents resume — all logged.
Forensic Audit Trail
Every access emits an immutable log entry with agent ID, token, timestamp, IP, and approval chain. Compliance-ready exports.
Security Architecture
Trust built in, not bolted on
Agent Secret Store is engineered from first principles for the threat model of autonomous agents — where a compromised credential can cascade across an entire fleet.
HSM-Backed Encryption
All keys managed in FIPS 140-2 Level 3 Hardware Security Modules via GCP Cloud KMS. Your data never exists unencrypted at rest.
Envelope Encryption
Per-tenant Key Encryption Keys (KEK) and per-secret Data Encryption Keys (DEK). AES-256-GCM everywhere. Full key isolation.
Tenant Isolation
Every query is scoped by tenant_id at the database layer. No shared state between tenants. Dedicated encryption contexts.
SOC 2 Roadmap
Audit logging, access controls, and incident response procedures are designed from day one to support SOC 2 Type II certification.
Pricing
Start free. Scale as you grow.
No credit card required to start. Usage-based pricing that grows with your agent fleet.
Starter
- 1 agent
- 10 secrets
- 1,000 API calls/mo
- MCP server access
- Community support
Growth
Popular- 25 agents
- 500 secrets
- 100,000 API calls/mo
- Approval workflows
- Audit log exports
- Email support
Enterprise
- Unlimited agents & secrets
- HSM key isolation
- SSO + SCIM
- SLA guarantee
- Dedicated support
- Custom contracts
Ready to ship?
Every agent in production deserves a vault
Join the teams building the agentic economy with credentials that never compromise. Set up your first vault in under five minutes.
MCP server · pip install agentsecretstore · npm i @agentsecretstore/sdk