
HTTP credential proxy and vault
An open-source credential broker by Infisical that sits between your agents and the APIs they call.
Agents should not possess credentials. Agent Vault eliminates credential exfiltration risk with brokered access.
New here? The launch blog post has the full story behind Agent Vault.
Documentation | Installation | Tutorial | Video Demo | Slack

Traditional secrets management involves returning credentials back to you applications and services. This breaks down with AI agents which can be tricked via prompt injection into leaking secrets. This is the problem of credential exfiltration.
Agent Vault was created to solve credential exfiltration for all AI agents. Instead of giving AI agents credentals directly, you store them in Agent Vault (e.g. ANTHROPIC_API_KEY, GITHUB_PAT, etc.) and force your agents to route HTTP requests through it. Agent Vault intercepts every request and attaches credentials onto it before forwarding the request to the target outbound API.
Features:
__anthropic_api_key__ with real credentials or replacing auth headers entirely on outbound requests through it.HTTPS_PROXY and be compatible with Agent Vault's MITM architecture.mitmproxy or squid require modification to perform credential brokering and integrate well with agents. Agent Vault is purpose-built to work with the ergonomics of all types of agent use-cases with a dedicated CLI, multi-tenancy, and agent-specific roadmap backed by Infisical.By default, requests not matching any service forward as plain proxy traffic; flip a vault into strict deny mode (unmatched_host_policy=deny) to reject them with 403 instead.
Read the full backstory behind Agent Vault here.
Agent Vault works with all kinds of AI Agent use-cases including secure remote coding agents, all-purpose agents, custom agents + harnesses, secure ephemeral sandboxes and more.
ANTHROPIC_API_KEY and GITHUB_PAT in Agent Vault, allowing Claude Code to interact with the Anthropic and GitHub API to code, raise PRs, and more. The same principle applies to other coding agents.Agent Vault is both a vault and proxy service and ships as a single binary that acts as both a server and CLI client. It stores credentials and brokers them to your AI agents using a MITM proxy architecture. By design, Agent Vault is meant to be deployed on a separate machine from your AI agents to provide the security guarantee needed so your AI agents cannot directly access the credentials within Agent Vault.
┌─────────────────────────────────────────────────────────────────┐
│ Public internet │
│ │
│ api.anthropic.com api.github.com api.stripe.com ... │
│ ▲ ▲ ▲ │
└──────────┼───────────────────┼──────────────────┼───────────────┘
│ │ │
└───────────────────┼──────────────────┘
│ outbound HTTPS, Agent Vault
│ injects credentials on the way out
┌──────────────────────────────┼──────────────────────────────────┐
│ Private network │ │
│ │ │
│ ┌───────────────────────────┴────┐ ┌────────────────────┐ │
│ │ Agent Vault │ │ AI agent │ │
│ │ :14321 management UI / API │◀────│ HTTPS_PROXY= │ │
│ │ :14322 MITM proxy │ │ agent-vault:14322 │ │
│ └────────────────▲───────────────┘ └────────────────────┘ │
│ │ │
└───────────────────┼─────────────────────────────────────────────┘
│ operator access: keep private, or front
│ with TLS + auth (SSO reverse proxy, IP
│ allowlist, or VPN) if you need remote admin
│
Operator
You can configure Agent Vault to broker credentials for an AI agents in just a few steps:
curl --proto '=https' --proto-redir '=https' --tlsv1.2 -fsSL https://get.agent-vault.dev | sh
Start the Agent Vault server and set a master password for it (store it somewhere safe); the password is used as part of its data encryption mechanism and is unset from the process after the initial read.
export AGENT_VAULT_MASTER_PASSWORD=your-password
agent-vault server -d
You can also deploy Agent Vault with Docker:
docker run -it -p 14321:14321 -p 14322:14322 \
-e AGENT_VAULT_MASTER_PASSWORD=your-password \
-v agent-vault-data:/data infisical/agent-vault
The server starts the HTTP API on port 14321 and a transparent HTTP/HTTPS proxy on port 14322; the same listener handles CONNECT for https:// upstreams and absolute-form forward-proxy requests for http:// upstreams.
The web UI becomes available at http://<host>:14321 and you'll be prompted to create the first user known as the instance owner.
Create a vault, input your credentials, and configure service rules in Agent Vault either through the management UI or via CLI on the Agent Vault machine. For example, you can create a credential for ANTHROPIC_API_KEY and create a service rule for Agent Vault to substitute a dummy value __anthropic_api_key__ for the real key.
Create an agent to represent a long-running agent and obtain a token for it. Alternatively, if you're spinning up ephemeral sandboxed agents, you can use agent to represent an orchestrator backend and use it to mint a short-lived token to be passed into the sandbox for the agent to use and proxy requests through Agent Vault.
Set the following environment variables in your AI agent's environment:
AGENT_VAULT_ADDR=http://<your-addr>:14321
AGENT_VAULT_TOKEN=<agent-token-from-agent-vault>
AGENT_VAULT_VAULT=<vault-in-agent-vault>
...
ANTHROPIC_API_KEY=__anthropic_api_key__ // dummy key that will be substituted by Agent Vault
curl --proto '=https' --proto-redir '=https' --tlsv1.2 -fsSL https://get.agent-vault.dev | sh
Release archives published from this workflow ship with a build provenance attestation tied to the GitHub Actions run that produced them. Verify with the gh CLI (no extra tools, no key management):
gh attestation verify agent-vault_*.tar.gz --repo Infisical/agent-vault
checksums.txt is also covered by the same attestation, and its cosign signature continues to verify with cosign verify-blob for users who prefer that path.
agent-vault run -- claude
agent-vault vault run -- agent
agent-vault vault run -- codex
agent-vault vault run -- opencode
Alternatively, if your agent is running with Docker, you can install the Agent Vault CLI via a Dockerfile by copying the binary into your own image and using it to start up your agent process:
# Add this line to your existing Dockerfile alongside your agent or app setup.
COPY --from=infisical/agent-vault:latest /usr/local/bin/agent-vault /usr/local/bin/agent-vault
...
ENTRYPOINT ["agent-vault", "run", "--", "claude"]
There are many ways to deploy Agent Vault and integrate your AI agents with it. We recommend consulting the fuller documentation.
A full end-to-end walkthrough: running Hermes Agent on a remote VPS while Agent Vault brokers every outbound API call from a second box. Real credentials never touch the agent host.
Step-by-step companion guide: Run Hermes on a VPS.
Security:
You should deploy Agent Vault as a separate service on a different host machine from your AI agents to prevent agents from exploiting a shared host to gain access to Agent Vault.
You should keep the proxy port (14322 by default), where credentials get injected into outbound requests, private to your agents' network. The management interface on 14321 is safer to expose if you need remote admin, but still harden it like any production web service (TLS, IP allowlist). Refer to examples/nginx-public-ui-proxy/ for a working example.
Latency: You should co-locate Agent Vault alongside your AI agents within the same network to reduce request latency.
Tokens: You should create an agent in Agent Vault to represent a long-lived agent. For ephemeral sandboxes, you may prefer to mint short-lived, vault-scoped tokens for sandboxed agents to use to proxy requests through Agent Vault.
By default Agent Vault stores all state in a local SQLite database, which requires no setup. For production deployments, or when running multiple instances, set the DATABASE_URL environment variable (or --database-url flag) to a PostgreSQL connection string and Agent Vault switches to Postgres as its backend. All instances share the same database, so state is consistent across replicas.
Migrate existing data with agent-vault migrate-db --to postgres://... before switching. See the PostgreSQL guide for deployment examples (Kubernetes, Docker Compose), architecture notes, and operational details.
Agent Vault offers a TypeScript SDK in the event you'd like an orchestrator to mint a short-lived token and pass proxy config into a sandboxed agent to have it proxy requests through Agent Vault that way.
npm install @infisical/agent-vault-sdk
```typescript import { AgentVault, buildProxyEnv } from "@infisical/agent-vault-sdk";
const av = new AgentVault({ token: "YOUR_TOKEN", // agent token address: "http://localhost:14321", }); const session = await av .vault("my-vault") .sessions.create({ vaultRole: "proxy" });
// certPath is where you'll mount the CA certificate inside the sandbox. const certPath = "/etc/ssl/agent-vault-ca.pem";
// env: { HTTPS_PROXY, HTTP_PROXY, NO_PROXY, NODE_USE_ENV_PROXY, // SSL_CER
$ claude mcp add agent-vault \
-- python -m otcore.mcp_server <graph>