Documentation

Everything you need to secure your AI agent credentials with AgentKeys.

Quick Start

Get your first agent proxying secrets in under 2 minutes.

1. Create an account

Sign up at https://app.agentkeys.io and create a workspace. You'll get a workspace API key automatically.

2. Add a credential

Go to Credentials and click Add Credential. Choose the auth type (API Key, Cookie, Basic Auth, etc.) and paste your secret. It's encrypted immediately with AES-256-GCM.

3. Create an agent & assign credential

Go to Agents, create an agent, then click Assign Credential. This generates a proxy token (starts with pxr_). Save it — it's shown only once.

4. Make a proxy call

Send a request through the AgentKeys proxy:

Terminal
curl -X POST http://localhost:3004/v1/proxy \
  -H "Authorization: Bearer pxr_YOUR_PROXY_TOKEN" \
  -H "X-Target-Url: https://api.openai.com/v1/chat/completions" \
  -H "Content-Type: application/json" \
  -d '{"model": "gpt-4o", "messages": [{"role": "user", "content": "Hello!"}]}'

AgentKeys decrypts the real credential, injects it into the request headers, forwards to the target API, and returns the response. Your agent never touches the real secret.

Core Concepts

Workspace

A workspace is your organization. It contains credentials, agents, and audit logs. Each workspace has its own encryption master key and API key.

Credential

A secret stored in AgentKeys — API key, OAuth token, password, cookies, or headers. Encrypted with AES-256-GCM at rest. The plaintext is never stored.

Agent

Represents your AI tool, bot, or script. Each agent can be assigned specific credentials and receives a unique proxy token for each one.

Proxy Token

A unique token (prefixed pxr_) that maps to one credential + one agent. The agent uses this token to make API calls through the proxy. The real credential is resolved and injected at request time.

Credential Types

API Key

API_KEY

A single secret sent as Authorization: Bearer header. Works with OpenAI, Stripe, Resend, and most APIs.

Authorization: Bearer <key>

Cookie

COOKIE

Browser cookies for services without API keys — Twitter/X, LinkedIn, etc. Supports paste-all mode for easy import from DevTools.

Cookie: name=value; name2=value2

Basic Auth

BASIC_AUTH

Username + password pair for Jira, Twilio, Jenkins, Elasticsearch, and enterprise tools.

Authorization: Basic base64(user:pass)

Custom Headers

CUSTOM_HEADER

One or more custom HTTP headers. For Anthropic (x-api-key), Cloudflare, Supabase, and APIs with non-standard auth.

Custom header key-value pairs injected as-is

Query Parameter

QUERY_PARAM

Auth value appended to URL. Used by Google Maps, Telegram Bot API, and legacy APIs.

?key=value appended to target URL

Proxy API

All requests go through a single endpoint:

POST http://localhost:3004/v1/proxy

Headers

HeaderRequiredDescription
AuthorizationBearer pxr_... — proxy token
X-Target-UrlTarget API URL to forward to
X-Target-MethodOverride HTTP method (defaults to request method)
Content-TypePassed through to the target API

All other headers (except Host) are passed through to the target.

How it works

  1. Agent sends request with pxr_ proxy token
  2. AgentKeys validates the token and resolves the credential
  3. Real credential is decrypted (AES-256-GCM)
  4. Credential is injected into the request headers
  5. Request is forwarded to the target API
  6. Response is returned to the agent
  7. Request is logged in the audit trail

Examples

OpenAI:

curl
curl -X POST http://localhost:3004/v1/proxy \
  -H "Authorization: Bearer pxr_openai_abc123" \
  -H "X-Target-Url: https://api.openai.com/v1/chat/completions" \
  -H "Content-Type: application/json" \
  -d '{"model": "gpt-4o", "messages": [{"role": "user", "content": "Hello!"}]}'

Resend (email):

curl
curl -X POST http://localhost:3004/v1/proxy \
  -H "Authorization: Bearer pxr_resend_def456" \
  -H "X-Target-Url: https://api.resend.com/emails" \
  -H "Content-Type: application/json" \
  -d '{"from": "hi@yourdomain.com", "to": "user@example.com", "subject": "Hello", "text": "Hello!"}'

GitHub (GET request):

curl
curl http://localhost:3004/v1/proxy \
  -H "Authorization: Bearer pxr_github_ghi789" \
  -H "X-Target-Url: https://api.github.com/user/repos" \
  -H "X-Target-Method: GET"

OAuth Connect

Connect services with one click. AgentKeys handles the OAuth flow, stores tokens encrypted, and auto-refreshes them before expiry.

GitHub
Google
Twitter / X
Slack
Notion
Linear
Discord
HubSpot

To connect, go to Credentials → Connect OAuth and select a provider. You'll be redirected to authorize, then the token is automatically saved and encrypted.

SDKs

TypeScript

install
npm install @agentkeys/sdk
usage.ts
import { AgentKeys } from "@agentkeys/sdk";

const ak = new AgentKeys({ proxyUrl: "http://localhost:3004" });

const res = await ak.proxy("pxr_YOUR_TOKEN", {
  url: "https://api.openai.com/v1/chat/completions",
  method: "POST",
  body: { model: "gpt-4o", messages: [{ role: "user", content: "Hello!" }] },
});

console.log(res.data);

Python

install
pip install agentkeys
usage.py
from agentkeys import AgentKeys

ak = AgentKeys(proxy_url="http://localhost:3004")

res = ak.proxy(
    token="pxr_YOUR_TOKEN",
    url="https://api.openai.com/v1/chat/completions",
    method="POST",
    body={"model": "gpt-4o", "messages": [{"role": "user", "content": "Hello!"}]},
)

print(res.json())

MCP Server

Use AgentKeys with Claude Desktop, OpenClaw, Cursor, Windsurf, or any MCP-compatible agent.

claude_desktop_config.json
{
  "mcpServers": {
    "agentkeys": {
      "command": "npx",
      "args": ["@agentkeys/mcp"],
      "env": {
        "AGENTKEYS_PROXY_URL": "http://localhost:3004",
        "AGENTKEYS_TOKEN": "pxr_YOUR_TOKEN"
      }
    }
  }
}

Once configured, your AI agent can make API calls through AgentKeys without ever seeing real credentials.

OpenClaw Integration

OpenClaw is an autonomous AI agent platform. With the AgentKeys skill, your OpenClaw agent can securely proxy API calls without ever seeing real credentials.

Install the skill

Terminal
clawhub install agentkeys

Or manually: download the skill folder into your OpenClaw workspace at skills/agentkeys/.

Configure

Add the following to your OpenClaw workspace .env or TOOLS.md:

.env
AGENTKEYS_PROXY_URL=http://localhost:3004
AGENTKEYS_TOKEN=pxr_YOUR_PROXY_TOKEN

The skill reads these values automatically and uses them when making proxied requests.

Usage

Once installed, just ask your agent to make API calls. The AgentKeys skill intercepts outgoing requests and routes them through the proxy:

Chat with your agent
You: Send an email via Resend to user@example.com
Agent: (uses AgentKeys proxy → Resend API) ✅ Email sent!

You: Get my GitHub repos
Agent: (uses AgentKeys proxy → GitHub API) Here are your repos...

Your agent never sees the real API keys. Everything is proxied through AgentKeys, encrypted, and logged in the audit trail.

Skill Marketplace

The AgentKeys skill is available on ClawHub — the OpenClaw skill marketplace. Install it with one command and start proxying credentials securely in minutes.

Security

Encryption at rest

All credentials encrypted with AES-256-GCM. Per-workspace master keys. Plaintext never stored in the database.

Proxy tokens are hashed

Proxy tokens are SHA-256 hashed in the database. Even if the DB is compromised, tokens can't be reversed.

Zero-knowledge proxy

Credentials are decrypted only in memory at request time. They're never logged, cached, or written to disk.

Full audit trail

Every proxied request is logged: agent identity, target URL, HTTP method, status code, latency, and timestamp.

Instant revocation

Revoke any credential or agent assignment instantly from the dashboard. Takes effect immediately.

Limits & Pricing

PlanCredentialsAgentsRequests/moPrice
Free31100$0
Starter25510,000$19/mo
Pro10025100,000$79/mo
Scale500100500,000$199/mo
EnterpriseUnlimitedUnlimitedUnlimitedCustom