●Documentation — v1

Agent Secret Store

The secure credential vault purpose-built for AI agents. Store API keys, tokens, and secrets — then issue scoped, short-lived access tokens to your agents instead of raw credentials.

Get started Create free account →

Zero to vault in 30 seconds

quickstart.py

from agentsecretstore import AgentVault

vault = AgentVault(agent_key="your-agent-key")

# Store a secret
await vault.set_secret("production/openai/api-key", "sk-...")

# Retrieve it later
secret = await vault.get_secret("production/openai/api-key")
print(secret.value)  # "sk-..."

What just happened?

Your secret was encrypted with AES-256-GCM using a per-secret data encryption key (DEK), then the DEK was wrapped by a per-tenant key encryption key (KEK) stored in GCP KMS. Your raw secret never leaves your trust boundary unencrypted.

Explore the docs

⚡

Quick Start

Store and retrieve your first secret in under 2 minutes.

Read quickstart →

🔑

Scoped Tokens

Issue short-lived, least-privilege tokens instead of raw credentials.

Learn tokens →

🔒

Encryption

GCP KMS HSM-backed envelope encryption with per-tenant key hierarchies.

Explore security →

✅

Approval Workflows

Human-in-the-loop gates for sensitive and critical credentials.

Configure approvals →

🐍

Python SDK

Async-native Python client with full type hints and sync wrapper.

Python reference →

🌐

JavaScript SDK

TypeScript-first SDK for Node.js and browser environments.

JS reference →

🔌

MCP Server

Use the vault from Claude, Cursor, or any MCP-compatible client.

MCP setup →

📡

REST API

Full HTTP API reference — integrate from any language or tool.

API reference →

Why not just use .env files?

Problem with .env	Agent Secret Store solution
✗Secrets baked into container images / VMs	✓Secrets fetched at runtime, never stored in code
✗No access control — any code reads all secrets	✓Scoped tokens limit each agent to exactly what it needs
✗No visibility into who accessed what	✓Every access logged in immutable audit trail
✗Secret rotation requires redeployment	✓Rotate a secret; all future tokens get the new value automatically
✗No human oversight for critical credentials	✓Approval workflows gate access to sensitive secrets
✗Plaintext at rest if disk is compromised	✓AES-256-GCM + KMS envelope encryption

Integration guides

Migrate from .env

Bulk-import your existing .env files and update agent code.

LangChain

Fetch secrets inside your LangChain tools and agents.

CrewAI

Integrate the vault into CrewAI agent tasks.

OpenClaw Skill

Native skill for OpenClaw agents — zero-config secret access.