A secrets vault
for AI agents.

AgentStash stores your API keys and credentials with app-layer envelope encryption, and gives your agents scoped, audited access to them over MCP or the CLI. You decide which agent can read which secrets, in which trust boundaries — and revoke it in one click.

Envelope encryption

Per-trust-boundary keys wrap per-secret keys, all bound to your workspace with authenticated context. Delete a boundary and its secrets are crypto-shredded.

Scoped OAuth grants

Every agent connects via OAuth 2.1 + PKCE and gets a grant scoped to specific boundaries and permissions (read / write / list). Revoke instantly.

MCP & CLI access

Agents fetch secrets natively over MCP; the agentstash CLI logs in, lists, gets, and sets secrets, or injects them into a local process's environment.

Tamper-evident audit

Every read, write, and grant is written to a hash-chained per-workspace audit log you can verify.

AgentStash · a secrets vault for AI agents