keychains.dev - Secure your OpenClaw bot

Product Introduction

1. Definition: Keychains.dev is a secure credential proxy specifically designed for AI agents and autonomous systems. It operates as a server-side intermediary layer between AI agents (like OpenClaw bots) and external APIs, dynamically injecting authentication credentials during API requests.
2. Core Value Proposition: Keychains.dev exists to eliminate credential leakage risks in AI agents, particularly from prompt injection attacks and compromised tools. It enables secure API access delegation by ensuring agents never handle raw secrets, while providing users with granular permission control, instant revocation, and a full audit trail.

Main Features

1. Template Variable System: Replaces hardcoded API credentials (OAuth tokens, API keys, basic auth) with variables like {{GITHUB_TOKEN}} in agent code. The keychains curl command acts as a drop-in replacement for curl, parsing these variables.
2. Server-Side Credential Injection: Credentials are stored and injected securely on Keychains.dev’s infrastructure. Agents only send template variables, ensuring raw secrets never enter the agent’s environment, memory, or context window, making them immune to prompt injection exfiltration.
3. Granular Permission Flows: Requires explicit user consent for new API scopes via one-click approval. Users see the exact permissions requested (e.g., "Read GitHub repositories") before access is granted.
4. SSH Key Identity & Stateful Fingerprinting: Every machine authenticates to Keychains.dev via unique SSH keypairs, eliminating password risks. Per-call fingerprinting detects and instantly invalidates leaked keys on first misuse.
5. Scoped Delegation for Sub-Agents: Enables secure task delegation. Parent agents can issue:
   • Scoped Delegate Tokens: Restrict sub-agents to specific APIs (e.g., only Stripe charges, not full account access).
   • Blank Tokens: Sub-agents start with zero permissions, triggering user consent flows when new access is needed.
6. Universal Auth Support: Works with 11,000+ API providers, handling OAuth 2.0 (with PKCE and auto-refresh), API keys, basic auth, and custom headers seamlessly.

Problems Solved

1. Pain Point: Credential leakage via prompt injection – Malicious inputs can trick agents into exposing secrets stored in their context. Keychains.dev eliminates this by keeping credentials server-side.
2. Pain Point: Lack of visibility and revocation – Traditional methods (e.g., .env files) offer no real-time oversight or easy revocation. Keychains provides a dashboard for auditing all access and one-click revocation without secret rotation.
3. Target Audience:
   • AI Agent Developers building tools like OpenClaw.
   • Security Engineers in organizations deploying autonomous agents.
   • DevOps Teams managing API access for AI workflows.
4. Use Cases:
   • An OpenClaw bot accessing GitHub’s API without risking token theft via prompt injection.
   • Delegating a sub-agent to handle payment processing via Stripe with scoped "create charge" permissions only.
   • Auditing all API calls made by production AI agents for compliance.

Unique Advantages

1. Differentiation vs. Secrets Managers (Vault, Doppler): Secrets managers secure credentials at rest. Keychains secures them at use-time for agents, adding agent-specific consent flows, scoped delegation, and prompt injection protection – making them complementary layers.
2. Differentiation vs. API Gateways (Kong, Apigee): Gateways manage server-to-server traffic. Keychains is built for agent-to-API traffic with SSH-based machine identity, user-in-the-loop consent, and sub-agent delegation – features irrelevant to traditional microservices.
3. Differentiation vs. OAuth DPoP: While DPoP binds tokens to clients, Keychains is a full proxy layer supporting any auth scheme (not just OAuth) and integrates audit trails, instant revocation, and multi-agent workflows.
4. Key Innovation: Server-side credential injection via template variables – This architecture is uniquely designed to isolate agents from raw secrets while maintaining compatibility with existing tools like curl. Combined with SSH machine identity, it creates a zero-trust environment for agentic operations.

Frequently Asked Questions (FAQ)

1. How does Keychains.dev prevent prompt injection attacks?
   Keychains.dev injects credentials server-side. Agents only handle template variables (e.g., {{API_KEY}}), not raw secrets. This makes credentials invisible to the agent’s context window, preventing exfiltration via injected prompts.
2. Does Keychains.dev support OAuth 2.0 flows?
   Yes, it fully supports OAuth 2.0 with PKCE (Proof Key for Code Exchange) for secure authorization and provides automatic token refresh, handling the entire lifecycle without agent involvement.
3. How is Keychains.dev different from using a secrets manager?
   Secrets managers (e.g., HashiCorp Vault) store credentials securely but don’t manage runtime delegation or consent. Keychains adds per-agent permissions, user approval workflows, audit trails, and prompt injection protection specifically for AI agents.
4. Can I revoke an agent’s access instantly?
   Yes. Any machine’s access can be revoked immediately via the dashboard with one click. There are no grace periods, and revoked keys are invalidated on their next use attempt.
5. Is it safe to delegate tasks to sub-agents with Keychains?
   Yes. Use Scoped Delegate Tokens to restrict sub-agents to specific APIs/permissions or Blank Tokens requiring fresh user consent. Parent agents never share their full credentials.