Vault

Your Keys. Your Machine. Nobody Else.

UGENT Vault is a local-first encrypted secret store and provider gateway. API keys live in your OS keychain or an encrypted file vault — never in config files, never in agent context, never in logs.

Architecture

Two Layers of Protection

Encrypted Secret Store

Store API keys and tokens in your operating system keychain or an encrypted file vault. Reference them in config as handles — the decrypted value never appears in any file, prompt, or log.

ugent.toml

[llm.instances.openai]

api_key_ref = "@openai_api_key"

OS keychain file vault zero plaintext

Provider Egress Gateway

A local daemon that injects credentials before forwarding requests to OpenAI, Google, Jina, or Voyage. Your code calls the broker — the broker holds the real key. Streaming responses pass through unbuffered and unlogged.

any SDK

base_url = "http://127.0.0.1:18443/proxy/openai/v1"

api_key = "$BROKER_TOKEN"

OpenAI Google Jina Voyage
Capabilities

What the Vault Does for You

No Plaintext Keys

Reference secrets as handles in your config. The real values stay encrypted in the keychain or vault — they are resolved only at the moment of use and never written to disk in readable form.

Call APIs Without Holding Keys

Point any OpenAI-compatible SDK at the broker gateway. The broker injects the real credential and forwards the request. Your application never sees the provider key.

Environment Projection

Run any command with secrets injected only into that process's environment. Works for any language, any tool, zero code changes needed.

Deny by Default

Every credential access requires an explicit grant specifying who may use it, for what purpose, against which hosts, and for how long. No grant means no access — always.

Full Audit Trail

Every access — granted or denied — is logged with timestamp, consumer, purpose, and outcome. Rotate keys with a single command. Inspect history at any time.

Sibling Service Hardening

Point the context engine, MCP servers, and any local service at the broker gateway. They call APIs through the broker and never need their own copy of the provider key.

Security Model

Defense in Depth

Local machine only

The vault and broker run on your machine. Credentials are never sent to any external service.

Two storage backends

OS keychain by default (macOS Keychain, Windows Credential Manager, Linux Secret Service). Encrypted file vault as fallback with modern authenticated encryption.

Grant-scoped access

Each grant specifies consumer, purpose, allowed hosts, delivery method, and TTL. No matching grant means no access.

Gateway never logs bodies

Request and response bodies pass through unbuffered. Audit records carry metadata only — provider, path, status, latency, byte counts.

Bootstrap token authentication

Loopback HTTP requires a bearer token generated on first start. Binding to localhost alone is never treated as sufficient authentication.