Give your agent the keys.
Not the kingdom.
Let AI agents access any API without leaking sensitive credentials. Users stay in control. Permissions are scoped, transparent, and revocable.
Credentials that flow. Control that stays.
Your agent gets exactly the access it needs — nothing more. Your users decide what to share, and can revoke it anytime.
Use keychains curl
Use keychains curl as a drop-in replacement for curl. The only difference: replace hard-coded credentials with template variables like {{OAUTH2_ACCESS_TOKEN}} or {{STRIPE_PRIVATE_KEY}}.
User approves access
When a new API scope is needed, the user sees exactly what the agent wants to do and approves with one click.
Credentials injected securely
Keychains injects the right credentials server-side. Your agent never sees the raw secrets — invisible to prompt injection.
Security isn't a feature. It's the product.
Built from the ground up for a world where AI agents handle your most sensitive data.
SSH Key Identity
Every machine authenticates via SSH keypairs. No passwords. No API keys in your agent's environment.
Stateful Fingerprinting
Machines exchange fingerprints with every call. Leaked keys are invalidated on first use.
Full Transparency
Users see every permission granted. Every agent. Every task. Full audit trail.
Instant Revocation
Revoke any machine's access with one click. No waiting. No grace periods.
6,800+ API providers. One keychain.
OAuth, API keys, basic auth — whatever the provider needs, Keychains handles it. Your agent just calls the API.
Agents are the new attack surface.
Today, giving an AI agent access to your APIs means handing it your raw tokens. One prompt injection, one malicious tool, one leaked context window — and your credentials are gone.
- ✕API keys pasted into .env files and shared across agents
- ✕No visibility into what credentials an agent has or uses
- ✕No way to revoke access without rotating secrets
- ✕Prompt injection can exfiltrate credentials from context
Agent freedom without compromise.
Keychains works like curl. Your agent never touches raw secrets — just prefix keychains curl and credentials are injected server-side.
- Credentials never leave the server — invisible to prompt injection
- Users approve each permission — full consent flow
- Revoke any agent's access instantly from the dashboard
- Delegate tokens for sub-agents with scoped permissions
How Keychains compares
Credential management isn't new. Here's how Keychains fits alongside tools you may already use.
vs. Secrets Managers
Vault, AWS Secrets Manager, and Doppler protect credentials at rest. Keychains protects them at use-time. They're complementary.
Use a secrets manager to store credentials. Keychains adds the agent-specific layer: per-agent permissions, user consent, scoped delegation, and audit trails.
vs. API Gateways
Kong and Apigee do credential injection for server-to-server traffic. Keychains does it for agent-to-API traffic, with agent-specific primitives.
SSH-based machine identity, user consent flows, and multi-agent delegation are designed for autonomous agents — not traditional microservices.
vs. OAuth DPoP
DPoP binds tokens to specific clients using public/private keys — similar in spirit to Keychains' machine identity.
DPoP is an OAuth extension. Keychains is a full proxy layer that works with any auth scheme — OAuth, API keys, basic auth, and custom headers.
Spawn sub-agents safely.
Need to delegate work? Create scoped tokens for sub-agents with only the permissions they need — or create blank tokens that require fresh user approval.
Scoped Delegate Tokens
Fork your permissions. Give a sub-agent access to only the APIs it needs for its specific task. The parent agent retains full control.
Blank Tokens
Spawn sub-agents with zero initial permissions. When they need access, the user is prompted to approve — ensuring informed consent for every task.
The agentic web needs
a credential layer.
Keychains.dev is the credential layer for the agentic web. Your agents get secure API access. Your users stay in control.