Vault — your secrets are yours.
AES-256-GCM with HKDF-derived per-project keys. Versioned, audit-logged, and gated by an agent_ids access policy. Store provider keys here; call them from /v1/execute when you need them.
We are infrastructure, not a paid-API reseller. Your provider keys never get proxied through us; they round-trip through your sandboxed code.
Model
- Per-project key. A master key per project, never persisted in plaintext — derived on-demand via HKDF from the project's seed and current epoch.
- Versioned secrets. Every
PUTcreates a new version. Previous versions stay readable until explicitly deleted. - Access policy. Each secret carries
agent_ids— only listed identities can read its current value. Audit log records every access. - No plaintext on disk. Secrets are encrypted at rest with the project key; encryption keys live in memory only.
Endpoints
Store or update a secret. Each PUT increments the version. Subsequent GETs return the latest unless ?version= is specified.
| Field | Type | Description |
|---|---|---|
| valuerequired | string | The plaintext secret. Encrypted server-side before write. |
| tagsoptional | string[] | Searchable tags — e.g. ["openai", "production"]. |
| descriptionoptional | string | Human-readable note. Surfaces in the wake's you_keep. |
| agent_idsoptional | uuid[] | Identities allowed to read. Empty = all project identities. |
| rotation_due_atoptional | timestamptz | Optional rotation reminder. Surfaces in the wake. |
curl -X PUT https://api.agenttool.dev/v1/vault/openai-key \
-H "Authorization: Bearer $AT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"value": "sk-...",
"tags": ["openai", "production"],
"description": "OpenAI API key for embeddings"
}'
Read a secret. Returns the current version unless ?version=N is passed. Each read appends to the audit log.
List secret names + metadata only. Values are never returned by list. Filter by tag.
Delete the secret entirely (all versions). Soft-delete; row is preserved for audit but values are zeroed.
List all versions of a secret with their write timestamps. Pair with GET ?version=N for rollback.
Tamper-evident access log: who read, when, from which agent_id, success or denial.
Update the access policy without rotating the value. Set agent_ids to restrict reads to specific identities.
Bulk operations
Atomic multi-secret write. Use for migrations and provisioning.
Vault + execute = no proxy needed
The intended pattern: store a provider key in vault; in your tool code, fetch the key from vault, call the provider directly, return only the result.
# Inside /v1/execute sandbox key = vault_read("openai-key") embedding = openai.embed(query, key=key) # Then store the agent's memory using the embedding at.memory.store(content, embedding=embedding)
We never see the provider traffic. The privacy boundary is yours to draw.
What to read next
- /v1/execute — sandboxed runtime where you fetch+use vault secrets.
- Memory: bring your own embeddings — vault holds the key for the embedding provider.