MCP-native · Local-first · Audited

Your agent asks.
AgenticVault injects.
It never sees the value.

The secrets gateway built for AI coding agents. Policy-enforced injection into HTTP calls and subprocesses, encrypted audit trail, zero plaintext exposure to the model — ever.

Request early access See how it works
AES-256-GCM + Argon2id MCP over stdio OS keychain bound Policy-enforced 314 tests · TypeScript strict Encrypted audit at rest
The problem

Your agent needs your keys.
Your keys shouldn't need your agent.

Every team shipping with Claude Code, Cursor, or Cline hits the same three walls — and most never fully close them.

01

Raw values reach the model

Reading .env, dumping process.env, or asking "paste your token" puts plaintext in the model's context. That context gets logged, replayed, and in many providers — retained.

02

No guardrails on actions

An agent with your Stripe key can charge anything. With your AWS key it can spin anything. With your shell env it can run anything. There's nothing between "agent decided" and "action happened."

03

No forensics after the fact

When something goes wrong you get "the model said it deployed" — not a signed, encrypted record of exactly which request, which injection, which response. You can't review what you can't see.

Existing secret managers (Doppler, 1Password, HashiCorp) hand raw values to whoever asks.
There's no layer between agent and secret.
The solution

Built for the post-agent reality.

13 features shipped. Every line guarded by 314 tests. Every secret path audited end-to-end.

01

Zero-plaintext injection

Agents call http_request, run_command, or list_secrets — and only ever see names and redaction markers, never values.

02

Encrypted vault

AES-256-GCM with Argon2id KDF. Master key held in OS keychain (macOS, libsecret, Windows) with headless fallback.

03

Policy engine

Host allowlist, command+args regex allowlist, forbidden-env-var list, per-secret token-bucket rate limiter.

04

Encrypted audit trail

Every request / response body encrypted at rest. Defense-in-depth scrub at persist and at render. Crash-safe pruning.

05

Forensic detail view

CLI and local UI show full req/res, injected secrets, policy decision, timing, rate-limit state — per entry.

06

Scoped vaults

Global + per-project override, gitignore-aware discovery. One binary, zero cloud, no telemetry.

The flow

Three steps. No model gets near a raw value.

01 · AGENT

Requests an action

Claude, Cursor, Cline — any MCP client calls http_request with a secret name.

02 · VAULT

Enforces + injects

Policy check, rate-limit, unlock via keychain, token written into the outbound call.

03 · AUDIT

Captures + scrubs

Encrypted body store, scrub-at-persist and scrub-at-render, forensic detail view.

See it in action

Same agent. Same task.
One leaks. One doesn't.

Both terminals run the exact same prompt: "fetch my Cloudflare zones." Watch what ends up in the agent's context.

Without AgenticVault
agent.log · leaked
>user: fetch my cloudflare zones
>agent: reading ./.env
>agent: CLOUDFLARE_API_TOKEN=cf_live_7fJkQp9Ar3xNv2
>agent: curl -H "Authorization: Bearer cf_live_7fJkQp9Ar3xNv2"
>— token now in model context, logs, training pipeline —
! SECRET LEAKED · visible in agent memory forever
! NO AUDIT · no record, no forensics
Now with AgenticVault
With AgenticVault
agent.log · mediated
>user: fetch my cloudflare zones
>agent: mcp_http_request(url, CLOUDFLARE_API_TOKEN)
>[vault] policy ✓ · rate-limit ✓ · inject Bearer [REDACTED:CLOUDFLARE_API_TOKEN]
>[audit] req_8a3f allowed · 142ms · body encrypted
>agent: got 12 zones. value never entered context.
ZERO PLAINTEXT · in logs · in memory · at rest
FULL AUDIT · replay via `audit show req_8a3f`
Recorded demo

See AgenticVault running live — with Codex as the agent.

Codex asks for a Cloudflare API token, AgenticVault mediates the request, the secret never enters Codex's context, and every call lands in the encrypted audit log you can replay on the CLI or the local UI.

Use it

Plug it into your agent in under a minute.

One binary. One command. Your agents get secrets through a policy-enforced gateway from day one — no cloud, no accounts, no telemetry.

One-command install — no Docker, no cloud setup
Works with Claude Code, Cursor, Cline, Codex, Zed — any MCP client
OS keychain bound (macOS, libsecret, Windows)
Encrypted vault + audit out of the box, AES-256-GCM
Scoped vaults — global defaults + per-project overrides
Local forensic UI on 127.0.0.1, no exposure
Per-secret policy engine + token-bucket rate limits
Forbidden env-var guardrails (PATH, LD_PRELOAD, …)
Zero telemetry, zero outbound calls — local-only by design
Request access
npm · macOS · Linux · Windows · Node 20+