Open source credential proxy

Your agents shouldn't
hold the keys.

Your agent's code doesn't change. Use credential names where you'd use raw secrets. The proxy handles injection, approval, and sanitization.

Start in 5 minutes How it works

The problem

Agents need API access.
Raw credentials are a liability.

🔓

Credential theft

A prompt injection can trick an agent into leaking API keys through the target API itself.

⚠️

Unauthorized actions

An agent with raw keys can delete data, send messages, or make purchases with no human in the loop.

👁

Secret leakage

API responses can echo credentials back. Without sanitization, your agent now has the raw secret.

How it works

Agents reference credentials by name.
The proxy handles the rest.

1

Agent sends a request by name

The agent sends X-AgentSec-Credential: slack and the target URL. It never sees the actual API key.

2

Policy check + human approval

GET requests auto-approve. Writes go to your device for one-tap approval. You see the full request before it goes out.

3

Inject, forward, sanitize

The proxy injects real credentials, forwards the request, scrubs secrets from the response, and returns clean data to the agent.

Same skills, safer

Your agent's code barely changes.

before 
Authorization: Bearer sk-live-a1b2c3d4e5f6...
X-Api-Target:  slack.com/api/chat.postMessage
after 
X-AgentSec-Credential: slack
X-AgentSec-Target:    slack.com/api/chat.postMessage

Same skill, same API call. Swap the raw secret for a name. The proxy handles the rest.

Capabilities

Security defaults.
Not security theater.

Credential isolation

Agents reference credentials by name. The proxy holds the secrets. Compromise the agent, the keys stay safe.

Policy engine

Auto-approve reads, require approval for writes. URL-pattern overrides for fine-grained control. Fail closed by default.

Response sanitization

Scrubs credential values from API responses -- exact match, base64, and URL-encoded variants. Up to 10 MB.

Exfiltration prevention

Credentials in a tweet body or email subject? Rejected. Placeholders are only allowed in auth-position headers and fields.

Connector routing

Direct injection for API keys. Sidecar routing for OAuth 1.0a, OAuth 2.0, and custom protocols. One interface for the agent.

Audit trail

Every request logged with agent ID, credential, approval status, upstream response, and latency. JSON lines for easy ingestion.

Running in five minutes.

Open source. Self-host for free, or let us run it on hardware enclaves. 

$ git clone https://github.com/nanaknihal/agentsec
$ cd agentsec
$ cp local.env.example .env
$ # fill in .env with your keys
$ docker-compose -f docker-compose.yaml -f docker-compose.local.yaml up --build
Read the docs View on GitHub