AgentKeys Skill
Secure credential proxy for AI agents. Route API calls through AgentKeys so your agent never sees real secrets.
Configuration
You have two options. Set these in your environment or .env:
Option A — API Key (recommended, multi-credential)
CODEBLOCK0
Use your workspace API key to proxy requests to any credential by name. Get your API key from Settings.
Option B — Direct Proxy Token (single credential)
CODEBLOCK1
Use a proxy token for one specific credential. Get it by assigning a credential to an agent in the dashboard.
Usage
With API Key (Option A) — reference credentials by name
CODEBLOCK2
With Proxy Token (Option B) — direct credential access
CODEBLOCK3
Headers
| Header | Required | Description |
|---|
| INLINECODE1 | ✅ | INLINECODE2� or �INLINECODE3 |
| INLINECODE4 |
✅ | Target API URL to forward to |
|
X-Credential-Name | ✅ (API key mode) | Name of the credential to use (case-insensitive) |
|
Content-Type | ❌ | Passed through to target |
How It Works
- 1. Agent sends request to AgentKeys proxy with API key + credential name (or proxy token)
- AgentKeys finds and decrypts the real credential server-side
- Real credential is injected into headers
- Request is forwarded to the target API
- Response is returned to the agent
- Every request is logged in the audit trail
The agent never sees the real API key, OAuth token, or password.
Credential Types Supported
- - API Key — injected as �INLINECODE7
- Basic Auth — injected as �INLINECODE8
- Custom Headers — injected as key-value pairs
- Query Parameters — appended to URL
- Cookies — injected as
Cookie header - OAuth — auto-refreshed tokens
Security
- - Credentials are AES-256-GCM encrypted at rest
- Proxy tokens are scoped to one credential + one agent
- API key mode still respects workspace permissions
- Tokens can be revoked instantly from the dashboard
- Full audit trail for every proxied request
- Agent never has access to plaintext secrets
Links
AgentKeys 技能
面向AI代理的安全凭证代理。通过AgentKeys路由API调用,使您的代理永远不会接触到真实的密钥。
配置
您有两种选择。在环境变量或.env文件中设置:
选项A — API密钥(推荐,多凭证)
AGENTKEYSAPIKEY=akws...
AGENTKEYSPROXYURL=https://proxy.agentkeys.io
使用您的工作区API密钥按名称代理对任何凭证的请求。从设置获取您的API密钥。
选项B — 直接代理令牌(单凭证)
AGENTKEYSPROXYTOKEN=pxr_...
AGENTKEYSPROXYURL=https://proxy.agentkeys.io
使用代理令牌访问一个特定的凭证。通过在仪表板中将凭证分配给代理来获取它。
使用方法
使用API密钥(选项A)— 按名称引用凭证
bash
curl -X POST $AGENTKEYSPROXYURL/v1/proxy \
-H Authorization: Bearer $AGENTKEYSAPIKEY \
-H X-Credential-Name: resend \
-H X-Target-Url: https://api.resend.com/emails \
-H Content-Type: application/json \
-d {from: noreply@example.com, to: user@example.com, subject: Hello, text: Sent via AgentKeys}
使用代理令牌(选项B)— 直接凭证访问
bash
curl -X POST $AGENTKEYSPROXYURL/v1/proxy \
-H Authorization: Bearer $AGENTKEYSPROXYTOKEN \
-H X-Target-Url: https://api.resend.com/emails \
-H Content-Type: application/json \
-d {from: noreply@example.com, to: user@example.com, subject: Hello, text: Sent via AgentKeys}
请求头
| 请求头 | 必需 | 描述 |
|---|
| Authorization | ✅ | Bearer $AGENTKEYSAPIKEY 或 Bearer $AGENTKEYSPROXYTOKEN |
| X-Target-Url |
✅ | 要转发到的目标API URL |
| X-Credential-Name | ✅(API密钥模式) | 要使用的凭证名称(不区分大小写) |
| Content-Type | ❌ | 透传到目标 |
工作原理
- 1. 代理向AgentKeys代理发送请求,附带API密钥和凭证名称(或代理令牌)
- AgentKeys在服务端查找并解密真实的凭证
- 真实凭证被注入到请求头中
- 请求被转发到目标API
- 响应返回给代理
- 每个请求都会被记录在审计追踪中
代理永远不会看到真实的API密钥、OAuth令牌或密码。
支持的凭证类型
- - API密钥 — 注入为 Authorization: Bearer
- 基本认证 — 注入为 Authorization: Basic base64(user:pass)
- 自定义请求头 — 以键值对形式注入
- 查询参数 — 追加到URL
- Cookie — 注入为 Cookie 请求头
- OAuth — 自动刷新的令牌
安全性
- - 凭证在静态存储时使用AES-256-GCM加密
- 代理令牌限定于一个凭证和一个代理
- API密钥模式仍遵循工作区权限
- 令牌可从仪表板即时撤销
- 每个代理请求都有完整的审计追踪
- 代理永远无法访问明文密钥
链接
