Open source credential proxy for AI agents

Your agents shouldn't
hold the keys.

Your agent's code doesn't change. Use credential names where you'd use raw secrets. The proxy handles injection, approval, and sanitization.

Get started free > How it works

The problem

Agents need API access.
Raw credentials are a liability.

🔓

Credential theft

A prompt injection can trick an agent into leaking API keys through the target API itself.

⚠️

Unauthorized actions

An agent with raw keys can delete data, send messages, or make purchases with no human in the loop.

👁

Secret leakage

API responses can echo credentials back. Without sanitization, your agent now has the raw secret.

How it works

Agents reference credentials by name.
The proxy handles the rest.

1

Agent sends a request by name

The agent sends X-TAP-Credential: slack and the target URL. It never sees the actual API key.

2

Policy check + human approval

GET requests auto-approve. Writes go to your device for one-tap approval. You see the full request before it goes out.

3

Inject, forward, sanitize

The proxy injects real credentials, forwards the request, scrubs secrets from the response, and returns clean data to the agent.

Same skills, safer

Your agent's code barely changes.

before 
Authorization: Bearer sk-live-a1b2c3d4e5f6...
X-Api-Target:  slack.com/api/chat.postMessage
after 
X-TAP-Credential: slack
X-TAP-Target:    slack.com/api/chat.postMessage

Same skill, same API call. Swap the raw secret for a name. The proxy handles the rest.

Capabilities

Security defaults.
Not security theater.

Credential isolation

Agents reference credentials by name. The proxy holds the secrets. Compromise the agent, the keys stay safe.

Policy engine

Auto-approve reads, require approval for writes. URL-pattern overrides for fine-grained control. Fail closed by default.

Response sanitization

Scrubs credential values from API responses -- exact match, base64, and URL-encoded variants. Up to 10 MB.

Exfiltration prevention

Credentials in a tweet body or email subject? Rejected. Placeholders are only allowed in auth-position headers and fields.

Multi-tenant teams

Each team gets isolated credentials, agents, and policies. Agents can link across teams for multi-account access with scoped roles.

Connector routing

Direct injection for API keys. Sidecar routing for OAuth 1.0a, OAuth 2.0, and custom protocols. One interface for the agent.

Audit trail

Every request logged with agent ID, credential, approval status, upstream response, and latency. JSON lines for easy ingestion.

Enclave deployment

Run on Evervault hardware enclaves for encrypted memory and attestation. Managed hosting runs in enclaves by default.

Early access

We're onboarding early users.

Managed hosting runs in hardware enclaves with full Pro features—unlimited agents, unlimited credentials, multi-account, and passkey approval. Free during early access.

  • Unlimited agents & credentials
  • Hardware enclave (keys never exported)
  • Multi-account (cross-team)
  • Telegram + passkey approval
  • 90-day audit log
Request access

Or self-host right now — clone the repo

Running in five minutes.

Open source (MIT). Managed hosting keeps your keys in hardware enclaves—no secrets on your machine. Or self-host for full control.

1

Sign up and add your API keys

Open the dashboard, create an account, and paste your API keys (OpenAI, GitHub, Slack — any service with a key or token).

2

Create an agent and copy the API key

Select which credentials the agent can access. The key is shown once.

3

Connect your agent

$ npx @nnsk/tap
# then tell your agent:  /setup-tap
Read the docs View on GitHub