Agent secret vault
Agents receive short-lived vtx_session_* keychains. Production API keys stay vaulted and never leave the server.
Vault provider API keys once, mint scoped vtx_session_* keychains for each agent, and route every call through Vertex. You control what each agent can use, then see exactly which services it touched, how often, and whether each request was allowed, blocked, or failed.
Agents receive short-lived vtx_session_* keychains. Production API keys stay vaulted and never leave the server.
Typed tool and API inspection lets you deny stripe.create_payout, cap the agent's daily spend wallet, and taint sessions after untrusted reads.
Monitor which services each agent uses, how often, what was allowed or blocked, and which keychain made the request.
Server-to-server keychain issuance API for B2B AI products that secure their customers' provider keys.
Vertex sits between your AI agents and external APIs. It keeps provider credentials out of the agent runtime, limits what each keychain can access, and gives operators a live record of activity, usage, blocked requests, and credential use.
Autonomous agents call GitHub, Stripe, Linear, or internal APIs through scoped keychains, with no raw production credentials in the agent runtime.
Mint a Vertex keychain per end-user. Per-tenant audit, scoped tool and domain policy, instant revoke.
Drop Vertex in front of any MCP server. Allow or deny tools by namespace, bind tools to domains, and taint sessions after risky reads.
Usage charts and audit rows show what each agent accessed, which API credentials it used, how often, and where policy blocked it.
import { VertexClient } from "vertex-blue-client";
const vertex = new VertexClient({
keychain: process.env.VTX_SESSION_KEY!,
});
const res = await vertex.proxy(
"https://api.stripe.com/v1/charges",
{ method: "POST", body: { amount: 4200, currency: "usd" } },
);curl -X POST https://www.vertex.blue/api/v1/keychains \
-H "Authorization: Bearer $VTX_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"tenant_id": "your-customer-uuid",
"service_ids": ["3f1c9a2e-0b7d-4e6a-9c11-2a8f5d4b7e90"],
"policy": { "max_spend_cents": 50000, "ttl_minutes": 60 }
}'A stolen agent key still does only what you allowed. Nothing more, nowhere else.
Abuse, runaway loops, and overspend are stopped before a single provider call goes out.
Your real API keys appear for an instant in memory, then vanish. Never written, never logged.
Every action is recorded in a tamper-evident chain, so one altered record is obvious.
api.github.comallowedapi.stripe.comallowed169.254.169.254blockedPut a zero-trust proxy and secret vault between autonomous execution and every production API.
Sign up now