Agent Vault for AI Agents in Production

If you are letting agents call GitHub, cloud APIs, incident tools, or internal services, you have a secret-handling problem. Most agent setups still hand tokens directly to the process through environment variables or config files. That is simple, but it also means a prompt injection, bad tool call, or sandbox escape can leak the exact credentials you were trying to protect. Agent Vault takes a more useful approach for operators: the agent never receives the secret in the first place.

What Is Agent Vault?

Agent Vault is an open source HTTP credential proxy and vault from Infisical. Instead of returning secrets to the caller, it creates a scoped session and routes outbound API traffic through a local proxy. The proxy injects the right credentials at the network layer, then forwards the request upstream.

That design matters for SRE and platform teams because the threat model around agents is different from traditional automation. Agents are non-deterministic, they can be steered by hostile input, and they often touch many systems during a single workflow. A brokered access layer is a better fit than raw secret retrieval.

Key Features

• Brokered access instead of secret retrieval: agents talk to target APIs normally while Agent Vault injects credentials behind the scenes.
• Works with common agent tooling: the project explicitly supports local agents and coding tools such as Claude Code, Cursor, and Codex.
• Encrypted local storage: credentials are encrypted with AES-256-GCM, with optional master-password protection using Argon2id-wrapped keys.
• Per-request audit logs: logs include method, host, path, status, latency, and credential key names, without recording request bodies, headers, or query strings.
• Container sandbox support: agents can be launched in a container with egress locked down so they can reach only the proxy.

Installation

The fastest path is the install script:

curl -fsSL https://get.agent-vault.dev | sh
agent-vault server -d

You can also run it with Docker:

docker run -d \
  -p 14321:14321 \
  -p 14322:14322 \
  -e AGENT_VAULT_MASTER_PASSWORD=change-me \
  -v agent-vault-data:/data \
  infisical/agent-vault

By default, the HTTP API listens on 14321 and the TLS proxy listens on 14322.

Usage

For a local agent process, the basic model is simple. Start the server, define a vault and role, then launch the agent through Agent Vault so it receives scoped proxy settings instead of raw credentials.

agent-vault server -d
agent-vault run -- codex

Once wrapped, the agent calls APIs as usual. For example, it can send traffic to https://api.github.com/... while the proxy handles authentication. The secret never needs to appear in the agent's environment or prompt context.

For stronger isolation, Agent Vault can start the agent inside a container sandbox:

agent-vault run --sandbox=container --share-agent-dir -- claude

That is especially relevant for platform teams experimenting with higher-autonomy workflows. If the child process can only reach the proxy, secret exfiltration becomes much harder even when the model behaves badly.

Operational Tips

Treat Agent Vault as one layer, not the whole control plane. You still want narrow roles, short-lived sessions, outbound allowlists, and clear audit review. The project is in active development, so test it in staging before wiring it into production agent pipelines.

A practical rollout pattern is to start with one low-risk integration such as GitHub issue reads or internal documentation APIs. Once the proxy path is stable, add more sensitive tools and combine it with sandboxing and approval gates.

Conclusion

Agent Vault is one of the more interesting new projects in agent security because it changes the default secret model. Instead of trusting the agent with credentials and hoping prompts stay clean, it brokers access so the agent can do useful work without ever seeing the keys. For SRE and platform teams building real automation around AI, that is the kind of boundary worth adding early.

Akmatori helps SRE teams automate incident response, route operational context, and keep AI-driven workflows under control. If you are building agent-based operations, explore Akmatori and Gcore to put those workflows on a stronger production footing.