Agent Vault stops agents from ever seeing credentials
Infisical open-sourced Agent Vault yesterday and it is the cleanest answer yet to the question every enterprise asks before deploying agents: what if it gets prompt-injected and leaks our API keys? Answer: give the agent an HTTPS proxy and never let credentials into the agent process at all.
The architecture is elegant. The agent gets a scoped session token and a local HTTPS_PROXY endpoint. It calls target APIs like normal, and Agent Vault injects the actual credential at the network layer before forwarding the request upstream. Credentials stay inside the vault, agent sees nothing. AES-256-GCM encryption, optional Argon2id master password, per-vault request logging that captures method/host/path/status/latency but never request bodies.
Works with Claude Code, Cursor, Codex, any custom agent, any sandboxed process. There is a TypeScript SDK for orchestrators running on Docker, E2B, or Daytona. And there is a container sandbox mode that makes non-cooperative isolation possible, meaning a child process literally cannot bypass the proxy no matter what it tries to do. 290 stars on day one, v0.10.0 on April 23. 71 percent Go, 27 percent TypeScript.
This is the fifth agent-security primitive to ship in three weeks after Capsule, Anthropicβs CLI sanctioning, GoModel, CrabTrap, and Loomal. The pattern is now obvious: agent infrastructure is consolidating around audit and isolation as buying factors, not capability. When your agent can do anything, the question shifts from what it can do to what it cannot steal. Infisical just set the open-source reference architecture for credential-layer isolation.
https://github.com/Infisical/agent-vault
← Back to all articles
The architecture is elegant. The agent gets a scoped session token and a local HTTPS_PROXY endpoint. It calls target APIs like normal, and Agent Vault injects the actual credential at the network layer before forwarding the request upstream. Credentials stay inside the vault, agent sees nothing. AES-256-GCM encryption, optional Argon2id master password, per-vault request logging that captures method/host/path/status/latency but never request bodies.
Works with Claude Code, Cursor, Codex, any custom agent, any sandboxed process. There is a TypeScript SDK for orchestrators running on Docker, E2B, or Daytona. And there is a container sandbox mode that makes non-cooperative isolation possible, meaning a child process literally cannot bypass the proxy no matter what it tries to do. 290 stars on day one, v0.10.0 on April 23. 71 percent Go, 27 percent TypeScript.
This is the fifth agent-security primitive to ship in three weeks after Capsule, Anthropicβs CLI sanctioning, GoModel, CrabTrap, and Loomal. The pattern is now obvious: agent infrastructure is consolidating around audit and isolation as buying factors, not capability. When your agent can do anything, the question shifts from what it can do to what it cannot steal. Infisical just set the open-source reference architecture for credential-layer isolation.
https://github.com/Infisical/agent-vault
Comments