Live — Zero-knowledge

The credential store
AI agents actually use.

Zero-knowledge. Edge-deployed. 30-second setup.

Your secrets are encrypted before they leave your agent. We never see them. Nobody does.

Get API Key — Free → Read the Docs

The state of agent credentials today

The AI agent ecosystem has a secrets problem. And nobody is solving it.

92% of MCP servers store secrets in plaintext config files

~0 AI agent frameworks include a credential primitive — they recommend “use .env files”

6 mo average enterprise secrets manager rollout — requires sales call, IAM policy, ops team

Your agent deserves better. The bar is low — and we clear it in 30 seconds.

How it works

Four steps. One of them is our server. The rest happen inside your agent.

Your agent encrypts locally

Call VaultCrypto.encrypt("sk-proj-abc123", "openai-key"). The plaintext never leaves your process.

Encrypted blob hits our API

PUT /v1/vault/openai-key — we receive ciphertext. Opaque, meaningless without your seed.

We store opaque ciphertext

Server stores: aeGx8kF... — meaningless without your seed. We literally cannot read it.

Your agent retrieves and decrypts

GET /v1/vault/openai-key returns the blob. You call vault.decrypt(). You get your secret back.

Get started in 30 seconds

Pick your language:

// Install: bun add @agentlair/vault-crypto  (or npm, pnpm, yarn)
import { VaultCrypto } from '@agentlair/vault-crypto';

// One-time setup (30 seconds)
const apiKey = await fetch('https://api.agentlair.dev/v1/auth/keys', {
  method: 'POST'
}).then(r => r.json()).then(r => r.api_key);

const seed = VaultCrypto.generateSeed();  // save this!
const vault = VaultCrypto.fromSeed(seed);

// Store a secret
const ciphertext = await vault.encrypt('sk-proj-abc123', 'openai');
await fetch('https://api.agentlair.dev/v1/vault/openai', {
  method: 'PUT',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ ciphertext }),
});

// Retrieve it — from any agent, anywhere
const { ciphertext: stored } = await fetch(
  'https://api.agentlair.dev/v1/vault/openai',
  { headers: { 'Authorization': `Bearer ${apiKey}` } }
).then(r => r.json());

const secret = await vault.decrypt(stored, 'openai');
// secret === 'sk-proj-abc123'

npm · GitHub · AES-256-GCM + HKDF-SHA-256. Zero dependencies.

# Create account
API_KEY=$(curl -s -X POST https://api.agentlair.dev/v1/auth/keys | jq -r .api_key)

# Store (you encrypt client-side first — see TypeScript tab)
curl -X PUT https://api.agentlair.dev/v1/vault/my-secret \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"ciphertext": "YOUR_ENCRYPTED_BLOB"}'
# -> { "key": "my-secret", "stored": true, "version": 1 }

# Retrieve
curl https://api.agentlair.dev/v1/vault/my-secret \
  -H "Authorization: Bearer $API_KEY"
# -> { "ciphertext": "YOUR_ENCRYPTED_BLOB", "version": 1 }

# List all keys
curl https://api.agentlair.dev/v1/vault/ \
  -H "Authorization: Bearer $API_KEY"
# -> { "keys": [...], "count": 1, "limit": 10 }

# Coming soon: pip install agentlair
# Python SDK is in development. For now, use curl or the TypeScript library.
#
# What it will look like:
#
# from agentlair import Client, VaultCrypto
#
# client = Client(api_key="al_live_...")
# vault = VaultCrypto.from_seed(VaultCrypto.generate_seed())
#
# encrypted = vault.encrypt("sk-proj-abc123", "openai")
# client.vault.put("openai", ciphertext=encrypted)
#
# Want Python support? Star the repo and open an issue:
# github.com/piiiico/agentlair

Request Python SDK on GitHub →

Works with your framework

Vault is a REST API. It works with everything that can make an HTTP request.

LangChain LangGraph CrewAI AutoGen MCP Servers Mastra Claude SDK OpenAI Agents Any HTTP client

Building a framework integration? Open a PR →

Key features

Version history

Every PUT auto-increments version. Roll back with ?version=N. Old versions retained at tier limits.

Email recovery

Metadata

Attach labels, algorithm hints, and agent IDs to each secret. Stored in plaintext for operational use.

Agent-native payments

Agents pay per-request via HTTP 402 + USDC on Base when free-tier limits are hit. No human billing needed.

Pricing

Free

10 secrets
3 versions per secret
16 KB per value
100 API calls/day
Email recovery
No credit card required

Pro

$9/month

Unlimited secrets
100 versions per secret
64 KB per value
10,000 API calls/day
Priority support
x402 autonomous payments

Pro tier coming soon. Free tier is permanent — no expiry, no bait-and-switch.
Autonomous agents: x402 payments available — agents pay per-call at $0.001/request. Security details →

Security model

Built on cryptographic primitives, not trust. Open-source, auditable, edge-deployed.

✓ Client-side encryption (AES-256-GCM)

✓ Per-key derivation (HKDF-SHA-256)

✓ API keys hashed server-side (SHA-256)

✓ Zero-knowledge: server stores opaque blobs

✓ Single-use recovery tokens (15 min TTL)

✓ Edge-deployed on Cloudflare (200+ PoPs)

✓ Open-source crypto library (npm)

✓ Built on Web Crypto API (no dependencies)

Read the full security architecture →

Why not just use…?

vs AWS / GCP Secrets Manager

They see your plaintext. Require IAM setup (~1 hour). We take 30 seconds and never see your secrets.

vs HashiCorp Vault

Requires server setup (~1 day). Needs unseal keys. We're a single PUT request away from running.

vs Infisical

Server decrypts your secrets. Dashboard required. We store opaque blobs we literally cannot read.

vs .env files

Gone when the container dies. No recovery. No versioning. No audit trail. No encryption.

API reference

Method	Endpoint	Description
`POST`	`/v1/auth/keys`	Create account (no auth needed)
`GET`	`/v1/vault/`	List all keys (metadata, no ciphertext)
`PUT`	`/v1/vault/{key}`	Store encrypted blob (body: `{"ciphertext", "metadata?"}`)
`GET`	`/v1/vault/{key}`	Retrieve secret (`?version=N` for specific version)
`DELETE`	`/v1/vault/{key}`	Delete all versions (`?version=N` for one)
`POST`	`/v1/vault/recovery-email`	Register recovery email + encrypted seed

 Tier limits
     Free  Pro ($9/mo)  
 
   Secrets  10 keys  Unlimited  
  Version history  3 per key  100 per key  
  Max blob size  16 KB  64 KB  
  API requests/day  100 (shared)  10,000  
  Recovery emails  1  3

	Free	Pro ($9/mo)
Secrets	10 keys	Unlimited
Version history	3 per key	100 per key
Max blob size	16 KB	64 KB
API requests/day	100 (shared)	10,000
Recovery emails	1	3

  The credential store AI agents actually use.
 Free tier. No credit card. No IAM. No human setup.
  Get API Key — Free → Security details 
  API reference ·
Dashboard ·
npm ·
GitHub

The credential storeAI agents actually use.