LiveZero-knowledge

The credential store AI agents actually use.

Zero-knowledge. Edge-deployed. 30-second setup. Your secrets are encrypted before they leave your agent.

Get API Key — Free →Read the Docs

The state of agent credentials today

The AI agent ecosystem has a secrets problem. And nobody is solving it.

92%of MCP servers store secrets in plaintext config files

~0AI agent frameworks include a credential primitive — they recommend "use .env files"

6 moaverage enterprise secrets manager rollout — requires sales call, IAM policy, ops team

Your agent deserves better. The bar is low — and we clear it in 30 seconds.

How it works

Four steps. One of them is our server. The rest happen inside your agent.

Your agent encrypts locally

Call VaultCrypto.encrypt("sk-proj-abc123", "openai-key"). The plaintext never leaves your process.

Encrypted blob hits our API

PUT /v1/vault/openai-key — we receive ciphertext. Opaque, meaningless without your seed.

We store opaque ciphertext

Server stores: aeGx8kF... — meaningless without your seed. We literally cannot read it.

Your agent retrieves and decrypts

GET /v1/vault/openai-key returns the blob. You call vault.decrypt(). You get your secret back.

Why send your credentials to us?

A fair question. Here's the honest answer — backed by cryptography, not promises.

🔒

Zero-knowledge: we store gibberish

Your secret enters as plaintext inside your process. It leaves as an encrypted blob. Our server receives and stores opaque ciphertext — bytes that are meaningless without your seed. There is no master decryption key on our end. We cannot read your secrets even if we wanted to.

📖

Open-source crypto — verify it yourself

The encryption library is public. Read the code, run the tests, fork it. AES-256-GCM + HKDF-SHA-256. Built on the Web Crypto API with zero external dependencies. Don't trust our description — audit the implementation.

github.com/piiiico/agentlair-vault-crypto →

📋

Every access logged

Every GET, PUT, and DELETE is recorded with a timestamp and your agent's identity. Full audit trail — you see exactly who accessed what and when. Nothing happens silently.

Get started in 30 seconds

Pick your language:

agent.ts

// Install: bun add @agentlair/vault-crypto  (or npm, pnpm, yarn)
import { VaultCrypto } from '@agentlair/vault-crypto';

// One-time setup (30 seconds)
const apiKey = await fetch('https://api.agentlair.dev/v1/auth/keys', {
  method: 'POST'
}).then(r => r.json()).then(r => r.api_key);

const seed = VaultCrypto.generateSeed();  // save this!
const vault = VaultCrypto.fromSeed(seed);

// Store a secret
const ciphertext = await vault.encrypt('sk-proj-abc123', 'openai');
await fetch('https://api.agentlair.dev/v1/vault/openai', {
  method: 'PUT',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ ciphertext }),
});

// Retrieve it — from any agent, anywhere
const { ciphertext: stored } = await fetch(
  'https://api.agentlair.dev/v1/vault/openai',
  { headers: { 'Authorization': `Bearer ${apiKey}` } }
).then(r => r.json());

const secret = await vault.decrypt(stored, 'openai');
// secret === 'sk-proj-abc123'

npm: @agentlair/vault-crypto · GitHub · AES-256-GCM + HKDF-SHA-256. Zero dependencies.

Works with your framework

Vault is a REST API. It works with everything that can make an HTTP request.

LangChainLangGraphCrewAIAutoGenMCP ServersMastraClaude SDKOpenAI AgentsAny HTTP client

Building a framework integration? Open a PR →

Key features

Version history

Every PUT auto-increments version. Roll back with ?version=N. Old versions retained at tier limits.

Email recovery

Metadata

Attach labels, algorithm hints, and agent IDs to each secret. Stored in plaintext for operational use.

Agent-native payments

Agents pay per-request via HTTP 402 + USDC on Base when free-tier limits are hit. No human billing needed.

Pricing

Free

✓10 secrets
✓3 versions per secret
✓16 KB per value
✓100 API calls/day
✓Email recovery
✓No credit card required

Starter

Popular

$29 /month

✓50 secrets
✓10 versions per secret
✓32 KB per value
✓1,000 API calls/day
✓5 agent email addresses
✓Email support

Pro

$149 /month

✓500 secrets
✓100 versions per secret
✓64 KB per value
✓10,000 API calls/day
✓50 agent email addresses
✓x402 autonomous payments
✓Priority support

Free tier is permanent — no expiry, no bait-and-switch. See full pricing →
Autonomous agents: x402 payments available — agents pay per-call at $0.001/request. Security details →

Security model

Built on cryptographic primitives, not trust. Open-source, auditable, edge-deployed.

✓Client-side encryption (AES-256-GCM)

✓Per-key derivation (HKDF-SHA-256)

✓API keys hashed server-side (SHA-256)

✓Zero-knowledge: server stores opaque blobs

✓Single-use recovery tokens (15 min TTL)

✓Edge-deployed on Cloudflare (200+ PoPs)

✓Open-source crypto library (npm)

✓Built on Web Crypto API (no dependencies)

Read the full security architecture →

Why not just use…?

vs AWS / GCP Secrets Manager

They see your plaintext. Require IAM setup (~1 hour). We take 30 seconds and never see your secrets.

vs HashiCorp Vault

Requires server setup (~1 day). Needs unseal keys, ops team, enterprise license. We're a single PUT request away from running.

vs Infisical

Server decrypts your secrets. Dashboard required. We store opaque blobs we literally cannot read.

vs .env files

Gone when the container dies. No recovery. No versioning. No audit trail. No encryption.

vs openclaw.json

Claude SDK stores config and credentials in openclaw.json — plaintext on disk. One leaked file exposes everything. Vault gives your Claude agents encrypted secrets from day one.

API reference

Method	Endpoint	Description
`POST`	`/v1/auth/keys`	Create account (no auth needed)
`GET`	`/v1/vault/`	List all keys (metadata, no ciphertext)
`PUT`	`/v1/vault/{key}`	Store encrypted blob (body: {"ciphertext", "metadata?"})
`GET`	`/v1/vault/{key}`	Retrieve secret (?version=N for specific version)
`DELETE`	`/v1/vault/{key}`	Delete all versions (?version=N for one)
`POST`	`/v1/vault/recovery-email`	Register recovery email + encrypted seed

Tier limits

	Free	Starter ($29/mo)	Pro ($149/mo)
Secrets	10 keys	50 keys	500 keys
Version history	3 per key	10 per key	100 per key
Max blob size	16 KB	32 KB	64 KB
API requests/day	100	1,000	10,000
Recovery emails	1	2	3

The credential store AI agents actually use.

Free tier. No credit card. No IAM. No human setup.

Get API Key — Free →Security details

API reference · Dashboard · npm · GitHub

Explore more

Get API Key — Free

Create an account in 30 seconds. No credit card, no IAM, no human setup.

Security Details

Read the full security architecture — cryptographic primitives, not trust.

Framework Integrations

LangChain, CrewAI, Vercel AI SDK, Claude MCP — works with everything.

Agent Email

Give your agents a real email address. Claim @agentlair.dev in 30 seconds.