Quick Start
From zero to a working secret vault in under 5 minutes.
Prerequisites
You need a free Agent Secret Store account. Sign up at agentsecretstore.com/signup — no credit card required. Your agent key will be shown on the dashboard after signup.
- 1
Install the SDK
Choose the SDK for your agent's runtime:
Python (async-native)
Shellpip install agentsecretstoreJavaScript / TypeScript
Shellnpm install @agentsecretstore/sdkPrefer HTTP? Skip the SDK and use the REST API directly. MCP users: see the MCP server guide.
- 2
Set your agent key
Copy your agent key from the dashboard and export it as an environment variable:
Shellexport ASS_AGENT_KEY="ass_live_your_key_here"Keep this key secret
Your agent key (
ASS_AGENT_KEY) is a master credential. Never commit it to source control or embed it in a container image. Store it in your CI/CD secret manager (GitHub Actions Secrets, AWS Secrets Manager, etc.) and inject it at runtime. - 3
Store your first secret
Store a secret using the Python SDK or a raw curl request:
Python
store_secret.pyimport asyncio from agentsecretstore import AgentVault async def main(): vault = AgentVault() # reads ASS_AGENT_KEY from environment await vault.set_secret( path="production/openai/api-key", value="sk-proj-abc123...", tier="sensitive", # standard | sensitive | critical description="OpenAI key for production agent", tags={"team": "ml", "env": "production"}, ) print("Secret stored!") asyncio.run(main())curl
Shellcurl -X POST https://api.agentsecretstore.com/v1/secrets \ -H "Authorization: Bearer $ASS_AGENT_KEY" \ -H "Content-Type: application/json" \ -d '{ "path": "production/openai/api-key", "value": "sk-proj-abc123...", "tier": "sensitive", "description": "OpenAI API key for production agent" }'Secret paths use the format
namespace/category/name. The tier controls approval requirements — see approval workflows. - 4
Retrieve the secret
Read the secret back from anywhere with your agent key:
Python
retrieve.pyimport asyncio from agentsecretstore import AgentVault async def main(): vault = AgentVault() secret = await vault.get_secret("production/openai/api-key") print(secret.value) # "sk-proj-abc123..." print(secret.version) # 1 print(secret.accessed_at) # 2025-01-15T10:30:00Z (logged in audit trail) asyncio.run(main())JavaScript / TypeScript
retrieve.tsimport { AgentVault } from '@agentsecretstore/sdk'; const vault = new AgentVault(); // reads ASS_AGENT_KEY from process.env const secret = await vault.getSecret('production/openai/api-key'); console.log(secret.value); // "sk-proj-abc123..." console.log(secret.version); // 1 - 5
Issue scoped tokens for your agents
Production agents shouldn't use your master key. Issue a scoped token that limits access to exactly the secrets they need:
token.pyfrom agentsecretstore import AgentVault vault = AgentVault() # Request a scoped token that only allows reading OpenAI keys token = await vault.request_token( scope="secrets:read:production/openai/*", ttl_seconds=3600, # 1-hour expiry description="Inference agent token", ) # Share this token with your agent — NOT the master key print(token.value) # "ast_tok_..." print(token.expires_at)Security principle
Give each agent the narrowest possible scope and the shortest TTL that still works. A token scoped to
secrets:read:production/openai/*cannot read your Stripe keys, your Slack tokens, or any other namespace.
Authentication
Agent Secret Store uses two types of credentials:
Prefix: ass_live_…
Master credential for a tenant. Can read, write, and manage secrets. Store securely — never in code.
Env: ASS_AGENT_KEY
Prefix: ast_tok_…
Short-lived, least-privilege credential. Issued by your orchestrator and passed to individual agents.
Env: Provided at runtime