agentkeychain
Provides a zero-knowledge credential vault for AI agents, allowing secure storage, retrieval, and management of secrets with cross-agent delegation and tamper-evident audit.
README
agentkeychain
Agent-native zero-knowledge credential vault. CLI + MCP Server, single binary.
AI Agents need credentials. Users shouldn't be asked for API keys 50 times. agentkeychain treats agents as first-class identities with their own scopes, delegation, and tamper-evident audit — built on Argon2id, XChaCha20-Poly1305, and Ed25519.
For Humans (the only section you need)
You only need 4 commands. Everything else is for agents and power users.
agentkeychain init # One-time: set a master password (8+ chars, remember it!)
agentkeychain store # Add a new secret (it asks you: name? value? scope?)
agentkeychain get NAME # Retrieve a secret (prompts for master password)
agentkeychain list # See all stored secrets (metadata only, NEVER values)
That's it. Everything below is optional.
Real-world usage
# Step 1: Initialize (do this ONCE per machine)
$ agentkeychain init
Master password (min 8 chars): ********
✓ vault initialized
# Step 2: Store your first secret (just follow the prompts)
$ agentkeychain store
Name: openai
Value: ***(paste your key, input is hidden in real terminals)
Scope: openai:chat
✓ encrypted and stored: openai
# Step 3: Retrieve it when you need it
$ agentkeychain get openai
Master password: ********
***your key appears here***
# Step 4: See what you have
$ agentkeychain list
NAME VERSION SCOPES UPDATED
openai 1 openai:chat 2026-07-06 04:56:24
Talk to your agent instead
You don't even need to remember the commands. Just tell your agent:
- "I want to save this OpenAI key" → agent runs
agentkeychain storefor you - "Get my Cloudflare token" → agent runs
agentkeychain get cloudflare - "Show me all my stored keys" → agent runs
agentkeychain list - "Delete the old GitHub token" → agent runs
agentkeychain delete github
When the agent needs a credential to do work, it asks the vault, not you. You stay out of the loop.
What you NEVER do
- ❌ Paste API keys into chat messages, emails, READMEs, or
.envfiles you commit - ❌ Write keys in code comments
- ❌ Screenshot a key and send it
- ❌ Re-type the same key 50 times across different tools
If you find yourself pasting a key anywhere, stop and run agentkeychain store.
What it does
| CLI | agentkeychain init / store / get / list / delete / audit / issue-token / serve |
| MCP Server | 5 tools (akc_store, akc_get, akc_list, akc_delete, akc_audit) over stdio |
| Cross-agent delegate | Ed25519-signed time-limited scope-bounded tokens |
| Audit chain | Tamper-evident Ed25519 signature chain over every operation |
| Zero-knowledge | Master password never persisted; KEK derived via Argon2id on demand |
| Single binary | bun build --compile → 62 MB self-contained executable |
5-Minute Quickstart
Install
# Option 1: download single binary (Linux x64)
curl -L https://github.com/linsipeng/agentkeychain/releases/latest/download/agentkeychain-linux-x64 -o akc
chmod +x akc
mv akc /usr/local/bin/agentkeychain
# Option 2: from source
git clone https://github.com/linsipeng/agentkeychain.git
cd agentkeychain
bun install
bun run build # produces bin/agentkeychain-bin
First-time setup
agentkeychain init
# Master password: ******** (≥8 chars, never stored)
# → vault initialized at ~/.agentkeychain/
# → default identity: ak_xxx ("default")
# → ✓ master password saved to OS keychain (you'll never be asked again)
That's the only time you type the password. From now on, every
agentkeychain store / get / list / delete / audit command reads the password
transparently from your OS keychain. Zero prompts, forever.
Use the CLI
# Store an API key
agentkeychain store openai-key --value "sk-..." --scopes "openai:chat"
# Retrieve (decrypts on demand, prompted for master password)
agentkeychain get openai-key
# List (metadata only, never values)
agentkeychain list
# View audit log (Ed25519-signed entries, tamper-evident)
agentkeychain audit
Issue a delegate token (cross-agent)
# Main agent issues a time-limited, scope-bounded token for a sub-agent
agentkeychain issue-token \
--sub ak_subagent_xxx \
--scopes "openai:read,cloudflare:read" \
--ttl 1h
# Output: base64url-encoded JSON to stdout — pass via env var or pipe to sub-agent
TOKEN=$(agentkeychain issue-token --sub ak_sub --scopes openai:read --ttl 30m)
The sub-agent presents the token as the delegate_token argument when calling
MCP tools — verified offline against the issuer's Ed25519 public key without
touching the vault.
Use as MCP Server
Add to any MCP-compatible client (Claude Desktop, Hermes, Codex, IDE plugins):
{
"mcpServers": {
"agentkeychain": {
"command": "/usr/local/bin/agentkeychain",
"args": ["serve"]
}
}
}
The server exposes 5 tools:
| Tool | Description |
|---|---|
akc_store |
Encrypt + persist a secret (returns id, never the value) |
akc_get |
Decrypt + return a secret (scope-checked) |
akc_list |
List secret names (no values) |
akc_delete |
Remove a secret |
akc_audit |
Read the audit log (no secret material) |
Example from an agent:
// Store
await callTool("akc_store", {
name: "openai-key",
value: "sk-...",
scope: ["openai:write"],
});
// Retrieve later (scope-checked)
const result = await callTool("akc_get", { name: "openai-key" });
Commands
| Command | Description |
|---|---|
agentkeychain init |
Initialize vault, set master password, create default identity |
agentkeychain store <name> --value <v> --scopes "..." |
Encrypt and store a credential |
agentkeychain get <name> [--json] |
Decrypt and return a credential |
agentkeychain list [--json] |
List all credentials (metadata only) |
agentkeychain delete <name> |
Soft-delete a credential |
agentkeychain audit [--since 24h] |
Show audit log |
agentkeychain serve |
Start MCP server (stdio transport) |
agentkeychain issue-token --sub <id> --scopes "..." [--ttl 1h] |
Issue a cross-agent delegate token |
agentkeychain --version |
Print version |
Security model
- Argon2id (memory=64 MB, iterations=3) derives a KEK from master password
- XChaCha20-Poly1305 AEAD encrypts each secret independently
- Ed25519 signs audit entries + delegate tokens (offline-verifiable)
- Client-side only — server never sees plaintext; vault file is fully encrypted
- Zero-knowledge — master password is never written to disk
See ARCHITECTURE.md for the full threat model and competitor comparison (vs 1Password / Bitwarden / Infisical agent-vault).
Development
bun install # install deps
bun test # run all tests (33 tests)
bun run lint # eslint
bun run build # single-binary compile to bin/agentkeychain-bin
bun run typecheck # tsc --noEmit
CI runs on every push to main — see
.github/workflows/ci.yml.
Roadmap
- [ ] Apply to MCP Registry (Claude Desktop / Hermes / Codex)
- [ ] TPM-backed KEK unlock (hardware-bound master key)
- [ ]
agentkeychain shell— REPL for multi-command workflows - [ ] Cloud sync (end-to-end encrypted, optional)
- [ ] Team / enterprise: SSO + role delegation
License
MIT — see LICENSE.
Status
v0.1.0 — public alpha. Single binary works end-to-end. Breaking changes possible before v1.0.
推荐服务器
Baidu Map
百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。
Playwright MCP Server
一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。
Magic Component Platform (MCP)
一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。
Audiense Insights MCP Server
通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。
VeyraX
一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。
graphlit-mcp-server
模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。
Kagi MCP Server
一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。
e2b-mcp-server
使用 MCP 通过 e2b 运行代码。
Neon MCP Server
用于与 Neon 管理 API 和数据库交互的 MCP 服务器
Exa MCP Server
模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。