FRESH

Hacker News

Home

Show HN: Agent Vault – Open-source credential proxy and vault for agents

147 points by dangtony98

by goodra7174

0 subcomment

The HTTPS_PROXY approach is clever — interface-agnostic credential brokering without modifying the agent itself.
We ran into the same problem from the infrastructure side. When you're running agent workloads on Kubernetes, the blast radius of a leaked credential scales with whatever the pod's ServiceAccount can reach. We ended up combining Cilium FQDN egress policies (agents can only call approved endpoints) with per-workload tool allowlists enforced at the CRD level. The network-level lockdown means even if the agent is prompt-injected, it physically cannot exfiltrate to an unauthorized domain.
Curious: have you tested AV with agents that make tool calls through MCP servers? The proxy would need to handle the MCP server's outbound requests too, not just the agent's direct calls.

by dangtony98

0 subcomment

T from Infisical here - Also forgot to mention that this is a research preview launch for Agent Vault and should be treated as such - experimental <<
Since the project is in active development, the form factor including API is unstable but I think it gives a good first glance into how we're thinking about secrets management for AI agents; we made some interesting architectural decisions along the way to get here, and I think this is generally on the right track with how the industry is thinking about solving credential exfiltration: thru credential brokering.
We'd appreciate any feedback; feel free also to raise issues, and contribute - this is very much welcome :)

by nghnam

0 subcomment

I like this idea.
I’ve always felt a bit uneasy about agents getting direct access to keys. Once they have them, it’s hard to know where those keys might go.
This feels cleaner to me. The agent does not need to see the real secrets. You still have to trust another layer, but that layer feels easier to control and reason about.

by wfinigan

1 subcomments

Love this. Our team has been frustrated that nothing like this exists. You run into this problem as soon as you start thinking seriously about capable cloud agents, but there was no generic solution. Existing options are either tied to a specific cloud vendor or protocol, like git or MCP. We had a design on the whiteboard for something like this when this release dropped in our laps--with lots of thoughtful choices we hadn't gotten to yet. Thank you Tony and team.
Would the proxy as designed double as a domain-based allowlist, separate from the credential brokering?

by sandeepkd

1 subcomments

This is a good start, it does covers gaps in certain areas. There are few more areas I can think of
1. The end point matters, example if the credential is OAuth2 token and service has a token refresh endpoint then the response would have a new token in the payload reaching directly to the agent
2. Not all the end points are made the same even on the service side, some may not even require credential, the proxy may end up leaking the credential to such endpoints
3. The proxy is essentially doing a MITM at this point, it just increased its scope to do the certificate validation as well, to do it correctly is a hard problem
4. All credentials are stored on a machine, it requires a lot more access & authorization framework in terms of who can access the machine now. One might think that they closed a security gap and soon they realize that they opened up couple more in that attempt

by gregw2

1 subcomments

I have a related question, is anyone developing standards on how agents can proxy the requestor identity to backend database or application layers? (short lived oauth tokens perhaps, not long lived credentials like the ShowHN seems to focus on?)

by dbuxton

1 subcomments

From the comments looks like lots of people looking at this problem from different angles.
We (harriethq.com) also have a somewhat similar insight, which is that setting up connectors is a drag for non-technical users, and a lot of systems don't support per-user connectivity so need an API shim.
The thing I like about this (Agent Vault) approach is that it's more extensible than what we're offering, which is a full managed service. But we've found that some features (e.g. ephemeral sandboxes to execute arbitrary e.g. uvx/npx based mcps) are just a big pain to self-deploy so it's easier for us to provide a service that just works out of the box.
Kudos to the team, this looks great and I'm looking forward to playing with it

by 10keane

2 subcomments

been thinking about this exact problem for a while. my own setup uses OS keyring with a <secret:name> token substitution pattern — the agent requests a credential by name, the substitution happens at execution time, the LLM never sees the raw value in context or logs. works reasonably well.
but the problem with that model is it's static protection. if the agent process itself becomes hostile or gets prompt-injected, keyring doesn't really help — it can still request the secret and get it, it just doesn't see it in the context window.
the shift i've been landing on and building into Orbital(my own project) is that it's less about blocking credential access and more about supervising it. you want to know exactly when and why the agent is requesting something, and have the ability to approve or deny in the moment. pre-set policies are hard because you genuinely can't anticipate what tools an agent will call before it runs — claude code might use curl, bash, or a completely random command depending on the problem. the approval needs to happen at runtime, not preset.
the proxy model here is interesting because it creates a natural supervision boundary. curious whether you're planning runtime approval flows or if the design stays policy-based.

by rmorlok

0 subcomment

I really like the approach you've taken of providing an egress proxy. That let's you do a lot of things that layer around providing gaurdrails and auditing. I've been taking a similar approach on an open source embedded iPaaS project I've been working on where it primarily offers an authenticating egress proxy to whatever business logic needs it (agent, sync engine, etc).
https://github.com/rmorlok/authproxy

by hebetude

1 subcomments

It’s an idea that obfuscates keys a bit, but how are you going to prevent the agent from gaining access to the vault and keys itself? I’ve seen it reverse engineer many things to expose the underlying credentials. I can only think running this on a firewall that the agent can’t access to prevent escalation.

by mike-cardwell

1 subcomments

Does it work for websockets too, where the authentication is done in a websocket frame? Like for Home Assistant? Also, if the LLM manages to do something to reflect the authentication token back in a response, do you detect it and strip it out as an extra layer of protection?

by Unsponsoredio

1 subcomments

I like this direction.
Agents having direct access to credentials always felt a bit scary.
This seems cleaner, even if it just moves the trust somewhere else.

0 subcomment

by manojbajaj95

0 subcomment

Been tinkering with something of my own at https://github.com/manojbajaj95/authsome. Core goal was to do credential management, from an ease point of view and not security.

by hanyiwang

3 subcomments

This doesn't change the fact that you'd still be able to exfiltrate data like sure they don't get credentials but if they get the proxy auth key then they would also be able to make requests through it no?

by dandaka

1 subcomments

Can I use Infisical cloud vaults with Agent Vault? I like the UI of secret management there. I like that I can manage secrets from many environments in a single place.

by Jayakumark

4 subcomments

How is it different from Onecli ? And does it do credential stripping ? Will it support access SDK from Bitwarden and integrate with infiscal ?

0 subcomment

by andreypk

1 subcomments

It looks promising if I have a request to llm with secrets is it handle it as well?

by Bnjoroge

1 subcomments

infisical is great so excited to see this

by zackify

1 subcomments

Completely unaffiliated but I just installed executor.sh today and it looks almost exactly the same

by tatoalo

1 subcomments

Could this work (or planned) on gVisor-based sandboxes?

by tuananh

1 subcomments

how do you deal with "access to the proxy"? because one can access maliciously without accessing to the token/secret.

by whattheheckheck

1 subcomments

How do you solve for the agent signing up for a service and needing to save it and guaranteeing the credit wont go to the chat?

by cristianolivera

0 subcomment

by yujunjie

0 subcomment

[dead]

by danelliot

0 subcomment

[dead]

by foreman_

0 subcomment

[dead]

by Remi_Etien

0 subcomment

[dead]

by sergiopreira

0 subcomment

[dead]

by amd92

1 subcomments

[flagged]

by bayff

2 subcomments

Curious how you think about this meeting the agent-identity side. The proxy knows who's calling, but the callee (what agent lives at api.example.com, what auth it expects, what its card looks like) doesn't really have a home. Been poking at that half at agents.ml and it feels like the two pieces want to fit together