Agentfy
Get started
Vault

Never paste secrets into a macro again

Central encrypted store for SMS APIs, login tokens, payment keys. Reference by name. Audit every change. Redact plaintext from logs automatically.

Start free trial Pricing
Vault interpolation demo
Vault interpolation demo
Vault entries listed in the dashboard with masked values
Vault page · constants and secrets in a single tenant
How it works

Encrypt once, reference by name, audit always

encryption
AES-256-GCM
key scope
Per-tenant
entries / plan
Unlimited

  • AES-256-GCM at rest, per tenant

    Each tenant gets its own master key — Postgres rows, logs, and audit trail never see plaintext.

  • Reference by name, anywhere

    Use ${vault.MY_KEY} in any macro step, HTTP body, or AI tool argument. The engine substitutes at runtime.

  • Reverse-substitution in logs

    Run audits scan the params blob and rewrite any value match back to ${vault.NAME} — secrets can't leak through over-eager logging.

Run audits stay clean

Reverse-substitution means the same secret can flow through HTTP URLs, bodies, params, and notes — the logged copy always shows the placeholder.

vault-flow.agfm agfm 
# In the Agentfy dashboard, store:
#   SMS_DOMAIN_1     = https://sms.example.com
#   SMS_API_KEY      = sk-abc123...

# Then in a macro:
http url="${vault.SMS_DOMAIN_1}/getNumber?key=${vault.SMS_API_KEY}" -> sms
extract sms.body jsonpath="$.phone" -> phone

# Run history shows:
# > http url="${vault.SMS_DOMAIN_1}/getNumber?key=${vault.SMS_API_KEY}" → sms
# Never:
# > http url="https://sms.example.com/getNumber?key=sk-abc123..." → sms

Credentials done right

AES-256-GCM at rest

Encrypted with a tenant-scoped master key. Plaintext never lives in Postgres rows, logs, or audit trails — only authenticated handlers can decrypt at runtime.

Template interpolation

Reference values with ${vault.MY_KEY} from any macro step. The engine substitutes at runtime and redacts the value back to the placeholder in step audit logs.

Constants and secrets

Two flavours: secrets (operators can write, never read) and constants (operators with the right role can reveal). Same UI; different visibility.

Change history

Every create / update / delete is audited with operator, IP, timestamp. Diff what changed without ever exposing the actual value.

Reverse-substitution redaction

Run audit logs walk the params blob and replace any matched plaintext with ${vault.NAME} — so even an over-broad log line never leaks the underlying value.

Tenant isolation

Each tenant has its own key namespace. Cross-tenant reads are physically impossible; even cloud admins can't view another tenant's plaintext.

Combine with…

Macros

Vault keys are first-class macro expressions.

Learn more

Activity log

Vault changes are audited just like devices and tokens.

Learn more

API tokens

API tokens are also credentials — same principles apply.

Learn more

Bring your SMS providers, your gateways, your bot tokens

One encrypted vault per tenant. Unlimited entries on every plan.

Start free trial