# Agent Secret Store > The secure credential vault purpose-built for AI agents. Stop shipping secrets in .env files. Agent Secret Store is a hosted SaaS platform where AI agents securely store and retrieve API keys, OAuth tokens, database passwords, and other sensitive credentials. Unlike general-purpose secret managers, Agent Secret Store is designed from day one for the agentic economy. ## What It Does - **Encrypted Vault**: Store secrets with envelope encryption (AES-256-GCM + GCP KMS HSM-backed per-tenant keys) - **Scoped Tokens**: Agents receive short-lived, permission-scoped tokens instead of raw secrets - **Human-in-the-Loop**: Configurable approval workflows for sensitive credential access - **Audit Trail**: Every access logged with agent identity, timestamp, and metadata - **Secret Rotation**: Manual, scheduled, and webhook-triggered rotation ## Integration Methods ### REST API Base URL: https://api.agentsecretstore.com/v1 Authentication: Bearer token (agent API key or scoped token) Key endpoints: - POST /v1/tokens — Request a scoped token - GET /v1/secrets/{namespace}/{key} — Retrieve a secret - PUT /v1/secrets/{namespace}/{key} — Store a secret - GET /v1/secrets/{namespace} — List secrets in namespace - POST /v1/secrets/import — Bulk import from .env format - GET /v1/audit — Query audit trail - GET /v1/agents — List registered agents - POST /v1/agents — Register new agent - GET /v1/approvals — List pending approvals - POST /v1/approvals/{id}/approve — Approve a request - POST /v1/approvals/{id}/deny — Deny a request ### Python SDK pip install agentsecretstore from agentsecretstore import AgentVault vault = AgentVault(agent_key=os.environ["ASS_AGENT_KEY"]) api_key = await vault.get_secret("production/openai/OPENAI_API_KEY") ### JavaScript/TypeScript SDK npm install @agentsecretstore/sdk import { AgentVault } from '@agentsecretstore/sdk'; const vault = new AgentVault({ agentKey: process.env.ASS_AGENT_KEY }); const apiKey = await vault.getSecret('production/openai/OPENAI_API_KEY'); ### MCP Server (Model Context Protocol) Endpoint: https://mcp.agentsecretstore.com/sse MCP config: { "mcpServers": { "agent-secret-store": { "url": "https://mcp.agentsecretstore.com/sse", "env": { "ASS_AGENT_KEY": "your-agent-key" } } } } MCP tools available: - get_secret(namespace, key) — Retrieve a secret value - set_secret(namespace, key, value, options) — Store a secret - list_secrets(namespace) — List secrets in namespace - rotate_secret(namespace, key) — Trigger rotation - request_approval(agent_id, secret_ids, reason) — Request human approval - check_approval_status(approval_id) — Check approval status ### OpenClaw SKILL.md Load the skill: https://agentsecretstore.com/.well-known/skill.md Or read: https://agentsecretstore.com/docs/sdks/openclaw ## Authentication Agents authenticate with an Agent API Key (issued on registration). This key is used to request short-lived scoped tokens: POST /v1/tokens Authorization: Bearer {agent_api_key} { "scopes": ["secrets:read:production/openai/*"], "ttl": "1h", "reason": "Fetching API key for inference task" } Response: { "token": "sst_...", "expires_at": "...", "scopes": [...] } Use the returned token to access secrets: GET /v1/secrets/production/openai/OPENAI_API_KEY Authorization: Bearer {scoped_token} ## Pricing - Starter: $20/month — 50 secrets, 5 agents, 7-day audit retention - Pro: $49/month — 500 secrets, 25 agents, 90-day audit retention - Enterprise: $99/month — Unlimited secrets and agents, 1-year audit retention Sign up at: https://agentsecretstore.com/signup ## Documentation - Getting Started: https://agentsecretstore.com/docs/getting-started - REST API Reference: https://agentsecretstore.com/docs/sdks/rest-api - Python SDK: https://agentsecretstore.com/docs/sdks/python - JavaScript SDK: https://agentsecretstore.com/docs/sdks/javascript - MCP Server: https://agentsecretstore.com/docs/sdks/mcp - OpenClaw Integration: https://agentsecretstore.com/docs/sdks/openclaw - Migrate from .env: https://agentsecretstore.com/docs/guides/env-migration - Security Architecture: https://agentsecretstore.com/docs/security/architecture - LangChain Guide: https://agentsecretstore.com/docs/guides/langchain - CrewAI Guide: https://agentsecretstore.com/docs/guides/crewai ## Agent Quick Start 1. Register at https://agentsecretstore.com/signup and choose a plan 2. Create your vault namespace (e.g., "production") 3. Store your first secret: curl -X PUT https://api.agentsecretstore.com/v1/secrets/production/openai/OPENAI_API_KEY \ -H "Authorization: Bearer YOUR_AGENT_KEY" \ -d '{"value": "sk-...", "secret_type": "api_key", "access_tier": "standard"}' 4. Install SDK: pip install agentsecretstore 5. Retrieve in your agent: api_key = await vault.get_secret("production/openai/OPENAI_API_KEY") ## Security - Envelope encryption: AES-256-GCM per secret, GCP KMS HSM-backed per-tenant KEKs - FIPS 140-2 Level 3 hardware security modules - TLS 1.3 for all transport - Tenant isolation: every query scoped by tenant_id at the database level - Scoped tokens: agents only access namespaces they're explicitly allowed - Audit trail: immutable log of every access event - Human-in-the-loop: configurable approval workflows for sensitive secrets ## Company Agent Secret Store is a product of One Frequency Inc., built by the MoltbotDen team. Website: https://agentsecretstore.com Contact: support@agentsecretstore.com