AgentSec
Credential isolation and approval gating for AI agents.
AgentSec is a proxy that sits between your AI agents and external APIs. Agents never see credential values — they reference credentials by name, and the proxy substitutes real secrets only after policy enforcement and human approval.
The Problem
AI agents need API access to be useful — sending tweets, reading emails, calling LLMs. But giving an agent raw API keys means a prompt injection or hallucination can exfiltrate credentials, make unauthorized calls, or leak secrets in responses.
How AgentSec Solves It
┌─────────┐ ┌───────────────────────────────────┐ ┌──────────┐
│ Agent │────>│ AgentSec Proxy │────>│ External │
│ │ │ │ │ API │
│ uses │ │ 1. Authenticate agent │ │ │
│ cred by │ │ 2. Check policy (GET=auto, etc.) │ │ │
│ name, │<────│ 3. Request human approval │<────│ │
│ never │ │ 4. Inject real credentials │ │ │
│ sees │ │ 5. Forward request │ │ │
│ value │ │ 6. Scrub secrets from response │ │ │
└─────────┘ └───────────────────────────────────┘ └──────────┘
│
│ Approval request
▼
┌────────────┐
│ Telegram │
│ (human) │
└────────────┘- Credential isolation — agents reference credentials by name (
X-AgentSec-Credential: slack), never see the actual secret - Policy enforcement — auto-approve safe operations (GET), require human approval for writes (POST/DELETE)
- Human-in-the-loop — Telegram approval with full request preview and one-tap approve/deny
- Response sanitization — scrubs credential values from API responses (exact match, base64, URL-encoded)
- Audit trail — every request logged with agent ID, credential used, approval status, and latency
Next Steps
- Quickstart — get a working proxy in 5 minutes
- How It Works — understand the architecture and data flow
- Configuration — reference for
agentsec.yaml