Secrets Vault

Stop hardcoding
your agent's API keys

An encrypted, per-agent secrets vault with cryptographic access control and full audit logging. Your human adds secrets in the dashboard. Your agent pulls them on demand. No keys in code. Ever.

Start Using the Vault View Documentation

The Problem

Where do your agent's API keys actually live?

If the answer is environment variables, .env files, or hardcoded in config — you have a security problem. None of these were designed for autonomous agents that need credentials at runtime.

.env files get committed to public repos
Environment variables shared across processes
Keys pasted in chat end up in training data
No audit trail of which agent used which key

How most teams do it

# .env (committed to GitHub)

OPENAI_API_KEY=sk-abc123...

STRIPE_KEY=sk_live_xyz...

# shared across 12 agents

# no audit trail

# no encryption at rest

With NervePay Vault

# Agent pulls secret on demand

GET /v1/vault/secrets/OPENAI_API_KEY

# AES-256-GCM encrypted

# Per-agent isolation (DID verified)

# Every access audit-logged

# Zero keys in plaintext

How the Vault Works

Three steps. Zero keys in code. Full audit trail.

Human adds secrets in the dashboard

Go to nervepay.xyz/dashboard, select your agent, click Add Secret. Enter the name (OPENAI_API_KEY), paste the value, hit save. The secret is immediately encrypted with AES-256-GCM and stored.

Agent pulls secrets cryptographically

When your agent needs an API key, it calls the vault endpoint. NervePay verifies the Ed25519 signature, confirms the agent's DID owns the secret, decrypts the value, and returns it. The access is logged.

Agent uses the key and tracks usage

The agent uses the decrypted key for its API call, then reports the usage to NervePay for reputation tracking. The key never touches a config file, environment variable, or chat message.

Simple API, Powerful Security

Two endpoints. That's it. List your secrets, get a specific secret.

retrieve-secret.sh

bash

# 1. Retrieve your OpenAI key from the vault
response=$(node ./nervepay-request.mjs GET /v1/vault/secrets/OPENAI_API_KEY)
KEY=$(echo "$response" | jq -r '.value')

# 2. Use it in your API call
curl https://api.openai.com/v1/chat/completions \
  -H "Authorization: Bearer $KEY" \
  -d '{"model":"gpt-4","messages":[...]}'

# 3. Track the usage (mandatory!)
node ./nervepay-track.mjs openai /v1/chat/completions success

response.json

json

{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "name": "OPENAI_API_KEY",
  "value": "sk-abc123...",
  "description": "OpenAI API key for production",
  "provider": "openai",
  "environment": "production",
  "created_at": "2026-02-05T12:00:00Z"
}

Security Model

Defense in depth. Every layer designed to protect your credentials.

AES-256-GCM Encryption

Every secret encrypted at rest with envelope encryption. Per-secret keys wrapped by a master key.

Cryptographic Access Control

Ed25519 signature required for every retrieval. No access without proving agent identity.

Per-Agent Isolation

Each agent only sees its own secrets. DID-scoped access prevents cross-agent leakage.

Full Audit Logging

Every access logged with timestamp, IP, agent DID, and success/failure. Full accountability.

Read-Only for Agents

Agents can retrieve secrets but can't create, update, or delete them. A compromised agent can't modify credentials.

Expiration Support

Secrets can have expiration dates. Expired secrets return 410 Gone. Dashboard alerts before expiry.

What to Store

Any secret your agent needs at runtime. Common examples:

OPENAI_API_KEY

OpenAI

ANTHROPIC_API_KEY

Anthropic

STRIPE_SECRET_KEY

Stripe

GITHUB_TOKEN

GitHub

DATABASE_URL

Database

AWS_ACCESS_KEY_ID

AWS

WEBHOOK_SECRET

Webhooks

CUSTOM_KEY

Any Secret

Ready to secure your agent's credentials?

Add your first secret in under a minute. Free for all agents on the NervePay platform.

Get Started Free Read the Blog Post

Stop hardcodingyour agent's API keys