VaultAgent - Secure Secret Management for AI Coding Agents

██╗   ██╗ █████╗ ██╗   ██╗██╗  ████████╗
██║   ██║██╔══██╗██║   ██║██║  ╚══██╔══╝
██║   ██║███████║██║   ██║██║     ██║
╚██╗ ██╔╝██╔══██║██║   ██║██║     ██║
 ╚████╔╝ ██║  ██║╚██████╔╝███████╗██║
  ╚═══╝  ╚═╝  ╚═╝ ╚═════╝ ╚══════╝╚═╝

┌───┐ ┌───┐ ┌───┐ ┌───┐ ┌───┐
│ A ├─┤ G ├─┤ E ├─┤ N ├─┤ T │
└───┘ └───┘ └───┘ └───┘ └───┘

·:·:· SECURE SECRET MANAGEMENT ·:·:·

AI agents need secrets. They shouldn't see them.

// zero-knowledge encryption, scoped sessions, full audit trails

┌──────────────────┬──────────────────┬──────────────────┐

└──────────────────┴──────────────────┴──────────────────┘

┌─────────────────────────────────────────────────────────────────────────────┐
│  YOUR SECRETS                                                      [+] ADD  │
├─────────────────────────────────────────────────────────────────────────────┤

YOUR SECRETS[+] ADD

[/]OPENAI_API_KEY***************k4Fj2 min ago

[/]DATABASE_URL***************543215 min ago

[x]STRIPE_SECRET***************test1 hour ago

└─────────────────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────────────────┐
│  ADD NEW SECRET                                                             │
├─────────────────────────────────────────────────────────────────────────────┤

ADD NEW SECRET

NAME:>█

VALUE:>

└─────────────────────────────────────────────────────────────────────────────┘

// HOW IT WORKS

┌─────────────────────────────────────────────────────────────────────────────┐
│                                                                             │
│    YOU                    VAULTAGENT                    AI AGENT            │
│     │                         │                            │                │
│     │  1. Store secrets       │                            │                │
│     │  ─────────────────────> │  (encrypted client-side)   │                │
│     │                         │                            │                │
│     │  2. Create session      │                            │                │
│     │  ─────────────────────> │  (scoped, time-limited)    │                │
│     │                         │                            │                │
│     │                         │  3. Inject to env          │                │
│     │                         │  ─────────────────────────>│                │
│     │                         │                            │                │
│     │                         │     Agent uses secrets     │                │
│     │                         │     (never sees values)    │                │
│     │                         │                            │                │
│     │  4. Full audit log      │                            │                │
│     │  <───────────────────── │                            │                │
│                                                                             │
└─────────────────────────────────────────────────────────────────────────────┘

Store secrets

encrypted client-side

Create session

scoped, time-limited

Agent uses secrets

never sees actual values

Full audit log

track every access

// FEATURES

┌───────────────────────────┐
│                           │
│    [/] ZERO-KNOWLEDGE     │
│                           │
│  Secrets encrypted        │
│  client-side. Server      │
│  never sees plaintext.    │
│                           │
└───────────────────────────┘

┌───────────────────────────┐
│                           │
│    [~] SCOPED SESSIONS    │
│                           │
│  Time-limited access.     │
│  Agents only see what     │
│  you explicitly allow.    │
│                           │
└───────────────────────────┘

┌───────────────────────────┐
│                           │
│    [>] FULL AUDIT         │
│                           │
│  Know exactly what        │
│  was accessed, when,      │
│  and by which agent.      │
│                           │
└───────────────────────────┘

[/] ZERO-KNOWLEDGE

Secrets encrypted client-side. Server never sees plaintext.

[~] SCOPED SESSIONS

Time-limited access. Agents only see what you explicitly allow.

[>] FULL AUDIT

Know exactly what was accessed, when, and by which agent.

// PRICING

┌─────────────────────────────────┐
│                                 │
│      ┌─────┐                    │
│      │  F  │   FREE             │
│      └─────┘                    │
│                                 │
│      $0/forever                 │
│                                 │
│      [/] 1 vault                │
│      [/] 10 secrets             │
│      [/] 50 sessions/day        │
│      [x] Audit export           │
│      [x] Team features          │
│                                 │
│     ┌─────────────────────┐     │
│     │   CURRENT PLAN      │     │
│     └─────────────────────┘     │
│                                 │
└─────────────────────────────────┘

╔═════════════════════════════════╗
║   * * * RECOMMENDED * * *       ║
║                                 ║
║      ╔═════╗                    ║
║      ║ PRO ║   PRO              ║
║      ╚═════╝                    ║
║                                 ║
║      $9/month                   ║
║                                 ║
║      [/] 5 vaults               ║
║      [/] 100 secrets            ║
║      [/] Unlimited sessions     ║
║      [/] Audit export           ║
║      [x] Team features          ║
║                                 ║

║     ╔═════════════════════╗     ║
║     ║  [>] UPGRADE NOW    ║     ║
║     ╚═════════════════════╝     ║

║                                 ║
╚═════════════════════════════════╝

FREE$0

[/] 1 vault

[/] 10 secrets

[/] 50 sessions/day

[x] Audit export

CURRENT PLAN

* * * RECOMMENDED * * *

PRO$9/mo

[/] 5 vaults

[/] 100 secrets

[/] Unlimited sessions

[/] Audit export

[>] UPGRADE NOW

╔═════════════════════════════════════════════════════════════════════════════╗
║  TEAM $29/mo                           ENTERPRISE $99/mo                    ║
║  ───────────                           ─────────────────                    ║
║  [/] 20 vaults                         [/] Unlimited vaults                 ║
║  [/] 500 secrets                       [/] Unlimited secrets                ║
║  [/] Team sharing                      [/] SSO integration                  ║
║  [/] Role-based access                 [/] Compliance reports               ║
║                                                                             ║

║                           [>] SEE PRICING                                   ║

╚═════════════════════════════════════════════════════════════════════════════╝

[>] SEE ALL PLANS (Team $29/mo, Enterprise $99/mo)

// INTEGRATIONS

┌─────────────────────────────────────────────────────────────────────────────┐
│                                                                             │
│  [/] CLAUDE CODE     [/] CURSOR          [/] WINDSURF                       │
│  [/] AIDER           [/] GITHUB COPILOT  [/] CONTINUE                       │
│                                                                             │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                             │
│  $ npm i -g vaultagent                                                      │
│  $ vaultagent run <session-token> -- claude                                 │
│  > [/] 3 secrets decrypted + injected. Launching claude...                  │
│                                                                             │
└─────────────────────────────────────────────────────────────────────────────┘

CLAUDE CODE [/]

CURSOR [/]

WINDSURF [/]

AIDER [/]

GITHUB COPILOT [/]

CONTINUE [/]

$ npm i -g vaultagent

$ vaultagent run <token> -- claude

> [/] 3 secrets decrypted + injected

// THREAT MODEL

┌─────────────────────────────────────────────────────────────────────────────┐
│  WITHOUT VAULTAGENT                    WITH VAULTAGENT                      │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                             │
│  [!] API keys in .env files            [/] Keys encrypted client-side       │
│      Risk: leaked in git, logs             Never stored in plaintext        │
│                                                                             │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                             │
│  [!] Agent has permanent access        [/] Time-scoped sessions             │
│      Risk: compromised agent =             Access auto-revokes              │
│      compromised secrets forever           Blast radius contained           │
│                                                                             │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                             │
│  [!] No visibility into usage          [/] Full audit trail                 │
│      Risk: can't detect misuse             Every access logged              │
│      or prove compliance                   Exportable for audits            │
│                                                                             │
└─────────────────────────────────────────────────────────────────────────────┘

[!] WITHOUT

Keys in .env files

[/] WITH

Encrypted client-side

[!] WITHOUT

Permanent agent access

[/] WITH

Time-scoped sessions

[!] WITHOUT

No usage visibility

[/] WITH

Full audit trail

// FAQ

[?] Can VaultAgent access my plaintext secrets?

    No. All encryption happens client-side with your master password.
    We only store encrypted blobs that we cannot decrypt.

[?] What happens when a session expires?

    The environment variables are automatically cleaned up.
    The agent loses access immediately with no manual intervention.

[?] Which AI coding agents are supported?

    Claude Code, Cursor, Windsurf, Aider, GitHub Copilot, and Continue.
    Any agent that reads environment variables works with VaultAgent.