HTTP credential proxy and vault
An open-source credential broker by Infisical that sits between your agents and the APIs they call.
Agents should not possess credentials. Agent Vault eliminates credential exfiltration risk with brokered access.
New here? The launch blog post has the full story behind Agent Vault.
Documentation | Installation | CLI Reference | Slack
Traditional secrets management relies on returning credentials directly to the caller. This breaks down with AI agents, which are non-deterministic systems vulnerable to prompt injection that can be fooled into leaking its secrets.
Agent Vault takes a different approach: Agent Vault never reveals vault-stored credentials to agents. Instead, agents route HTTP requests through a local proxy that injects the right credentials at the network layer.
- Brokered access, not retrieval - Your agent gets a scoped session and a local
HTTPS_PROXY. It calls target APIs normally, and Agent Vault injects the right credential at the network layer. Credentials are never returned to the agent. - Works with any agent - Custom Python/TypeScript agents, sandboxed processes, and coding agents like Claude Code, Cursor, and Codex. Anything that speaks HTTP.
- Encrypted at rest - Credentials are encrypted with AES-256-GCM using a random data encryption key (DEK). An optional master password wraps the DEK via Argon2id, so rotating the password does not re-encrypt credentials. A passwordless mode is available for PaaS deploys.
- Request logs - Every proxied request is persisted per vault with method, host, path, status, latency, and the credential key names involved. Bodies, headers, and query strings are not recorded. Retention is configurable per vault.
See the installation guide for full details.
curl -fsSL https://get.agent-vault.dev | sh
agent-vault server -dSupports macOS (Intel + Apple Silicon) and Linux (x86_64 + ARM64).
docker run -it -p 14321:14321 -p 14322:14322 -v agent-vault-data:/data infisical/agent-vaultFor non-interactive environments (Docker Compose, CI, detached mode), pass the master password as an env var:
docker run -d -p 14321:14321 -p 14322:14322 \
-e AGENT_VAULT_MASTER_PASSWORD=your-password \
-v agent-vault-data:/data infisical/agent-vaultRequires Go 1.25+ and Node.js 22+.
git clone https://github.com/Infisical/agent-vault.git
cd agent-vault
make build
sudo mv agent-vault /usr/local/bin/
agent-vault server -dThe server starts the HTTP API on port 14321 and a TLS-encrypted transparent HTTPS proxy on port 14322. A web UI is available at http://localhost:14321.
Wrap any local agent process with agent-vault run (long form: agent-vault vault run). Agent Vault creates a scoped session, sets HTTPS_PROXY and CA-trust env vars, and launches the agent — all HTTPS traffic is transparently proxied and authenticated:
agent-vault run -- claude
agent-vault vault run -- agent
agent-vault vault run -- codex
agent-vault vault run -- opencodeThe agent calls APIs normally (e.g. fetch("https://api.github.com/...")). Agent Vault intercepts the request, injects the credential, and forwards it upstream. The agent never sees secrets.
For non-cooperative sandboxing — where the child physically cannot reach anything except the Agent Vault proxy, regardless of what it tries — launch it in a Docker container with egress locked down by iptables:
agent-vault run --sandbox=container --share-agent-dir -- claude--share-agent-dir bind-mounts your host's ~/.claude into the container so the sandboxed agent reuses your existing login. Currently Claude-only; support for other agents is coming soon.
See Container sandbox for the threat model and flags.
For agents running inside containers, use the SDK from your orchestrator to mint a session and pass proxy config into the sandbox:
npm install @infisical/agent-vault-sdkimport { AgentVault, buildProxyEnv } from "@infisical/agent-vault-sdk";
const av = new AgentVault({
token: "YOUR_TOKEN",
address: "http://localhost:14321",
});
const session = await av
.vault("default")
.sessions.create({ vaultRole: "proxy" });
// certPath is where you'll mount the CA certificate inside the sandbox.
const certPath = "/etc/ssl/agent-vault-ca.pem";
// env: { HTTPS_PROXY, NO_PROXY, NODE_USE_ENV_PROXY, SSL_CERT_FILE,
// NODE_EXTRA_CA_CERTS, REQUESTS_CA_BUNDLE, CURL_CA_BUNDLE,
// GIT_SSL_CAINFO, DENO_CERT }
const env = buildProxyEnv(session.containerConfig!, certPath);
const caCert = session.containerConfig!.caCertificate;
// Pass `env` as environment variables and mount `caCert` at `certPath`
// in your sandbox — Docker, Daytona, E2B, Firecracker, or any other runtime.
// Once configured, the agent inside just calls APIs normally:
// fetch("https://api.github.com/...") — no SDK, no credentials needed.See the TypeScript SDK README for full documentation.
make build # Build frontend + Go binary
make test # Run tests
make web-dev # Vite dev server with hot reload (port 5173)
make dev # Go + Vite dev servers with hot reload
make docker # Build Docker imageThis repo available under the MIT expat license, with the exception of the ee directory which will contain premium enterprise features requiring a Infisical license.
If you are interested in Infisical or exploring a more commercial path for Agent Vault, take a look at our website or book a meeting with us.
Whether it's big or small, we love contributions. Agent Vault follows the same contribution guidelines as Infisical.
Check out our guide to see how to get started.
Not sure where to get started? You can:
- Join our Slack, and ask us any questions there.
If you're reading this, there is a strong chance you like the products we created.
You might also make a great addition to our team. We're growing fast and would love for you to join us.
Preview. Agent Vault is in active development and the API is subject to change. Please review the security documentation before deploying.