Agentsecrets
Zero-knowledge secrets infrastructure built for AI agents to operate, not just consume.
Install / Use
/learn @The-17/AgentsecretsREADME
AgentSecrets
Zero-knowledge AI Agent Secrets Management: secure API keys for AI agents without exposing credential values at runtime. Store, sync, inject, audit, and build on top of credentials your agents can use but never see.
Website | Docs | Engineering Blog
AgentSecrets is the complete secrets management and credential infrastructure for the AI agent era. It covers secrets storage, zero-knowledge cloud sync, environment management, team workspaces, agent identity, audit logging, transport-layer credential injection, and an SDK for building on top, all without a credential value ever entering agent context., the agent sees only the API response. At no step does the agent hold, see, or have access to the actual credential value. The zero-knowledge guarantee is architectural, not policy-based. It is built into how the system works at every layer.
Contents
- Why the Architecture Matters
- What AgentSecrets Is
- Installation
- Quick Start
- The Agent Workflow
- Environments
- Team Workspaces
- Agent Identity
- 6 Auth Injection Styles
- Zero-Trust Proxy Security
- Encryption Model
- AI Tool Integrations
- Build on AgentSecrets
- Full Command Reference
- Roadmap
- Security
- Contributing
Package rename notice The
agentsecretsPyPI package is now the AgentSecrets SDK: for developers building tools and agents on AgentSecrets infrastructure. The CLI wrapper is nowagentsecrets-cli. Theagentsecretscommand itself is unchanged.
The Critical Difference
There are two fundamentally different approaches to secrets management for AI agents.
Runtime retrieval (the common pattern)
The agent fetches or leases a credential at runtime. The value enters agent memory.
export TOKEN=$(secrets lease github_token)
# The agent now holds sk_live_51H... in memory
Once the value enters agent context, it can be extracted via prompt injection, exposed in logs or traces, and accessed by tools, plugins, or any dependency running in the same process.
Zero-knowledge injection (AgentSecrets)
The agent references a key name. The value is resolved outside the agent and injected at the transport layer.
agentsecrets call --bearer GITHUB_TOKEN
# The agent referenced a name. It never received a value.
If a system gives an AI agent access to a credential value, it must accept that the value can be leaked. AgentSecrets removes that assumption entirely.
Why the Architecture Matters
Most approaches to AI agent credential security follow the same pattern: store secrets securely, then retrieve and inject them at runtime.
Secure store → agent retrieves sk_live_51H... → value enters agent memory
→ prompt injection can reach it
→ malicious plugin can read it
→ CVE exposes it
→ LLM trace captures it
Whether the store is a .env file, HashiCorp Vault, AWS Secrets Manager, or a leasing system, if the agent retrieves the value, the value is in agent context. That is the moment of exposure.
AgentSecrets eliminates that moment entirely.
OS keychain → proxy resolves in memory → value injected at transport layer
→ agent receives API response only
→ value never entered agent context
→ nothing to steal, log, or extract
The agent never retrieves the value. It cannot be prompted to reveal it. It cannot be logged. It cannot be stolen through a plugin or CVE. It was structurally absent from every place an attack would look.
What AgentSecrets Is
Credential proxy: six auth injection styles, domain allowlist enforcement, response body redaction, SSRF protection, session token authentication.
Zero-knowledge cloud sync: X25519 key exchange, AES-256-GCM encryption, Argon2id key derivation. The server stores ciphertext it structurally cannot decrypt. The workspace key lives in the OS keychain and never reaches the server.
Environment support: development, staging, and production as first-class concepts. One command switches the active environment. The proxy resolves the right credentials automatically. Cross-environment diff shows coverage gaps.
Team workspaces: secrets encrypted client-side before upload. New developers onboard by pulling from the workspace. No .env files shared over Slack, no credential spreadsheets, no production keys in Slack DMs.
Agent identity: three levels: anonymous, declared, and cryptographically issued. Every proxy call is logged against the agent that made it. Tokens can be revoked per agent without touching anything else.
Governance audit log: every call logged with key name, endpoint, environment, agent identity, status, and the domain allowlist state at the exact moment of execution. No value field exists in the schema.
SDK: build tools, MCP servers, and AI agents where credential values never enter your code or the code of anyone using what you build.
MCP integration: first-class MCP server for Claude Desktop and Cursor. No credential values in any config file.
Environment variable injection: agentsecrets env -- <command> wraps any process and injects secrets from the OS keychain at spawn time. Nothing written to disk.
Installation
# Homebrew (macOS / Linux)
brew install The-17/tap/agentsecrets
# npm
npm install -g @the-17/agentsecrets
# pip
pip install agentsecrets-cli
# Go
go install github.com/The-17/agentsecrets/cmd/agentsecrets@latest
Quick Start
agentsecrets init
agentsecrets project create my-agent
agentsecrets secrets set STRIPE_KEY=sk_live_51H...
agentsecrets secrets set OPENAI_KEY=sk-proj-...
agentsecrets workspace allowlist add api.stripe.com api.openai.com
agentsecrets mcp install # Claude Desktop + Cursor
agentsecrets proxy start # any agent via HTTP proxy
The Agent Workflow
This is what AgentSecrets looks like when an AI agent operates the full credentials lifecycle autonomously.
agentsecrets status
# Workspace: Acme Engineering
# Project: payments-service
# Environment: production
# Last pull: 2 minutes ago
agentsecrets secrets diff
# OUT OF SYNC: STRIPE_KEY (remote is newer)
agentsecrets secrets pull
# Synced 1 secret from cloud to OS keychain
agentsecrets call \
--url https://api.stripe.com/v1/balance \
--bearer STRIPE_KEY
# {"object":"balance","available":[{"amount":420000,"currency":"usd"}]}
agentsecrets proxy logs --last 5
# 14:23:01 GET api.stripe.com/v1/balance STRIPE_KEY 200 245ms
The agent managed the complete workflow. No credential value appeared at any step. The audit log has no value field because there was no value to log.
Environments
Every project has three built-in environments. One command switches the active context. The proxy, push, pull, and diff commands all respect the active environment automatically.
agentsecrets environment switch production
agentsecrets environment list
# development 12 secrets
# staging 8 secrets
# production 12 secrets ← active
agentsecrets secrets diff --from development --to production
# In development but missing in production:
# OPENAI_KEY
# DATABASE_URL
agentsecrets environment merge staging production
# Prompts for production values for each staging key
Team Workspaces
agentsecrets workspace create "The Seventeen Engineering"
agentsecrets workspace invite alice@theseventeen.co
agentsecrets workspace invite bob@theseventeen.co
agentsecrets project create payments-service
agentsecrets project create auth-service
New developer onboards:
agentsecrets login
agentsecrets workspace switch "The Seventeen Engineering"
agentsecrets project use payments-service
agentsecrets secrets pull
# Ready. No credential sharing. No .env files sent over Slack.
Agent Identity
# Declared identity
client = AgentSecrets(agent_id="billing-processor")
# Issued identity, cryptographically verified on every call
agentsecrets agent token issue "billing-processor"
# → agt_ws01hxyz_4kR9mNpQ...
client = AgentSecrets(agent_token="agt_ws01hxyz_...")
# Audit by agent
agentsecrets log list --agent billing-processor
agentsecrets log list --identity anonymous # find coverage gaps
6 Auth Injection Styles
# Bearer token
agentsecrets call --url https://api.stripe.com/v1/balance --bearer STRIPE_KEY
# Custom header
agentsecrets call --url https://api.sendgrid.com/v3/mail/send \
--header X-Api-Key=SENDGRID_KEY
# Query parameter
agentsecrets call \
--url "https://maps.googleapis.com/maps/api/geocode/json?address=Lagos" \
--query key=GOOGLE_MAPS_KEY
# Basic auth
agentsecrets call --url https://jira.exampl
