{"id":51013932,"url":"https://github.com/bch1212/agentvault","last_synced_at":"2026-06-21T07:31:35.822Z","repository":{"id":357610578,"uuid":"1237735994","full_name":"bch1212/agentvault","owner":"bch1212","description":"AI-native credential vault for autonomous agents — Fernet-encrypted API keys, per-agent avk_ tokens, budget enforcement, audit logs, MCP server.","archived":false,"fork":false,"pushed_at":"2026-05-13T13:44:10.000Z","size":60,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-13T15:25:34.315Z","etag":null,"topics":["ai-agents","claude","credentials","fastapi","fernet-encryption","mcp","mcp-server","model-context-protocol","openai","python","saas","secrets-management","stripe","vault"],"latest_commit_sha":null,"homepage":"https://agentvault-api-production.up.railway.app","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bch1212.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-13T13:10:27.000Z","updated_at":"2026-05-13T13:44:18.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/bch1212/agentvault","commit_stats":null,"previous_names":["bch1212/agentvault"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/bch1212/agentvault","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bch1212%2Fagentvault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bch1212%2Fagentvault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bch1212%2Fagentvault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bch1212%2Fagentvault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bch1212","download_url":"https://codeload.github.com/bch1212/agentvault/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bch1212%2Fagentvault/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34601660,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-21T02:00:05.568Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","claude","credentials","fastapi","fernet-encryption","mcp","mcp-server","model-context-protocol","openai","python","saas","secrets-management","stripe","vault"],"created_at":"2026-06-21T07:31:31.403Z","updated_at":"2026-06-21T07:31:35.817Z","avatar_url":"https://github.com/bch1212.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AgentVault\n\n**AI-native credential management for autonomous agents.** Store API keys with column-level Fernet encryption, issue unique `avk_` keys to registered agent identities, proxy decrypted values with TTL, enforce per-agent spending budgets, log every access, and expose everything as an MCP server.\n\n- **Live API:** https://agentvault-api-production.up.railway.app\n- **Docs:** https://agentvault-api-production.up.railway.app/docs\n- **Status:** Production (Railway + Postgres + Stripe live)\n\n## Why\n\nAutonomous agents need API keys to do anything useful — Stripe, OpenAI, SendGrid, your own internal services. Three bad options today:\n\n1. **Hardcode in the agent prompt or config.** Leaks in logs, can't rotate, no audit trail.\n2. **Pass via env vars at spawn.** No per-agent isolation, no budget controls, no revocation without redeploy.\n3. **Roll your own vault.** Real work — encryption at rest *and* in transit, audit logs, key rotation, budget tracking.\n\nAgentVault is option 3 as a service. One `avk_` key per agent. Permission patterns (`[\"stripe_*\", \"openai_*\"]`). Daily/monthly spending caps. Full access log. MCP-native so agents can `vault.get_credential(\"stripe_key\")` and get a TTL-bound decrypted value back.\n\n## Quickstart\n\n### Direct HTTP\n\n```python\nimport httpx\n\nresp = httpx.post(\n \"https://agentvault-api-production.up.railway.app/api/v1/vault/get/stripe_key\",\n headers={\"X-Agent-Key\": \"avk_...\"},\n params={\"cost\": 0.05},\n)\nstripe_key = resp.json()[\"value\"]\n```\n\n### MCP (Claude Desktop / Cursor / Cline)\n\n```json\n{\n \"mcpServers\": {\n \"agentvault\": {\n \"command\": \"python\",\n \"args\": [\"-m\", \"mcp_server\"],\n \"env\": {\n \"AGENTVAULT_API_URL\": \"https://agentvault-api-production.up.railway.app\",\n \"AGENTVAULT_AGENT_KEY\": \"avk_...\"\n }\n }\n }\n}\n```\n\nThen in Claude: `vault.get_credential(\"stripe_key\")` returns the decrypted value.\n\n## How it works\n\n- **Column-level Fernet encryption** — credentials are encrypted with `VAULT_ENCRYPTION_KEY` *before* they hit the database. Stronger than at-rest disk encryption alone.\n- **`avk_` agent keys** — SHA-256 hashed at rest, never stored plaintext. Recognizable prefix like `sk_live_` / `whsec_`.\n- **Permission patterns** — `[\"stripe_*\", \"openai_*\"]` scopes an agent without a full policy engine. fnmatch-based.\n- **Budget enforcement** — daily and monthly caps per agent. `/vault/get?cost=0.05` records the spend; 429 once the cap is hit.\n- **Audit log** — every access (success or denied) goes into `credential_access_logs` with IP, user-agent, error reason.\n- **MCP server** — `mcp_server/` exposes `list_credentials`, `get_credential`, `vault_status`, `set_budget`, `view_audit_log` as stdio MCP tools.\n\n## Pricing\n\n| Tier | $/mo | Agents | Credentials | Audit | Rotation | Budgets | Team |\n|---|---|---|---|---|---|---|---|\n| Free | $0 | 3 | 10 | – | – | – | – |\n| Pro | $49 | 25 | 100 | ✓ | ✓ | – | – |\n| Business | $149 | ∞ | ∞ | ✓ | ✓ | ✓ | ✓ |\n| Enterprise | $499 | ∞ | ∞ | ✓ | ✓ | ✓ | ✓ + SSO + compliance |\n\n## Self-host\n\n```bash\ngit clone https://github.com/bch1212/agentvault\ncd agentvault\npip install -r requirements.txt\ncp .env.example .env # then fill in VAULT_ENCRYPTION_KEY and DATABASE_URL\npython -m api.main\n```\n\nRun tests:\n\n```bash\npython -m pytest -v # 34 tests\n```\n\nDeploy to Railway:\n\n```bash\nbash deploy.sh\n```\n\n## Architecture\n\n```\napi/\n├── main.py # FastAPI + lifespan\n├── database.py # Async SQLAlchemy (auto-rewrites postgresql:// → postgresql+asyncpg://)\n├── services/\n│ ├── encryption.py # Fernet encrypt/decrypt\n│ ├── auth.py # avk_ key gen + SHA-256 hashing\n│ ├── budget.py # Per-agent spend tracking\n│ ├── audit.py # Access log\n│ └── alerts.py # SendGrid alerts\n├── middleware/ # X-Agent-Key + Bearer auth\n└── routers/ # users, agents, credentials, vault, audit, budgets, billing\nmcp_server/ # FastMCP stdio server\ntests/ # 34 tests, SQLite in-memory\n```\n\n## License\n\nMIT.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbch1212%2Fagentvault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbch1212%2Fagentvault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbch1212%2Fagentvault/lists"}