AgentStash stores your API keys and credentials with app-layer envelope encryption, and gives your agents scoped, audited access to them over MCP or the CLI. You decide which agent can read which secrets, in which trust boundaries — and revoke it in one click.
Per-trust-boundary keys wrap per-secret keys, all bound to your workspace with authenticated context. Delete a boundary and its secrets are crypto-shredded.
Every agent connects via OAuth 2.1 + PKCE and gets a grant scoped to specific boundaries and permissions (read / write / list). Revoke instantly.
Agents fetch secrets natively over MCP; the agentstash CLI logs in, lists, gets, and sets secrets, or injects them into a local process's environment.
Every read, write, and grant is written to a hash-chained per-workspace audit log you can verify.