Agents use secrets
without seeing secrets.

AgentStash stores your API keys and credentials with app-layer envelope encryption, then lets your AI agents use them through MCP. By default the platform injects a credential into the agent's outbound HTTPS request server-side and returns only the response — the raw value never reaches the model. Handing the plaintext to an agent is a separate, off-by-default choice you make per secret.

Envelope encryption

Per-trust-boundary keys wrap per-secret keys, all bound to your workspace with authenticated context. Delete a boundary and its secrets are crypto-shredded.

Use, don't reveal

The use_secret tool injects credentials into HTTPS calls to allowlisted hosts and redacts them from responses. Reveal is off by default.

Scoped OAuth grants

Every agent connects via OAuth 2.1 + PKCE and gets a grant scoped to specific boundaries and permissions. Revoke instantly.

Tamper-evident audit

Every use, reveal, and grant is written to a hash-chained per-workspace audit log you can verify.

AgentStash · agents use secrets without seeing secrets