Your Keys. Your Machine. Nobody Else.
UGENT Vault is a local-first encrypted secret store and provider gateway. API keys live in your OS keychain or an encrypted file vault — never in config files, never in agent context, never in logs.
Two Layers of Protection
Encrypted Secret Store
Store API keys and tokens in your operating system keychain or an encrypted file vault. Reference them in config as handles — the decrypted value never appears in any file, prompt, or log.
[llm.instances.openai]
api_key_ref = "@openai_api_key"
Provider Egress Gateway
A local daemon that injects credentials before forwarding requests to OpenAI, Google, Jina, or Voyage. Your code calls the broker — the broker holds the real key. Streaming responses pass through unbuffered and unlogged.
base_url = "http://127.0.0.1:18443/proxy/openai/v1"
api_key = "$BROKER_TOKEN"
What the Vault Does for You
No Plaintext Keys
Reference secrets as handles in your config. The real values stay encrypted in the keychain or vault — they are resolved only at the moment of use and never written to disk in readable form.
Call APIs Without Holding Keys
Point any OpenAI-compatible SDK at the broker gateway. The broker injects the real credential and forwards the request. Your application never sees the provider key.
Environment Projection
Run any command with secrets injected only into that process's environment. Works for any language, any tool, zero code changes needed.
Deny by Default
Every credential access requires an explicit grant specifying who may use it, for what purpose, against which hosts, and for how long. No grant means no access — always.
Full Audit Trail
Every access — granted or denied — is logged with timestamp, consumer, purpose, and outcome. Rotate keys with a single command. Inspect history at any time.
Sibling Service Hardening
Point the context engine, MCP servers, and any local service at the broker gateway. They call APIs through the broker and never need their own copy of the provider key.
Defense in Depth
Local machine only
The vault and broker run on your machine. Credentials are never sent to any external service.
Two storage backends
OS keychain by default (macOS Keychain, Windows Credential Manager, Linux Secret Service). Encrypted file vault as fallback with modern authenticated encryption.
Grant-scoped access
Each grant specifies consumer, purpose, allowed hosts, delivery method, and TTL. No matching grant means no access.
Gateway never logs bodies
Request and response bodies pass through unbuffered. Audit records carry metadata only — provider, path, status, latency, byte counts.
Bootstrap token authentication
Loopback HTTP requires a bearer token generated on first start. Binding to localhost alone is never treated as sufficient authentication.