Agent Secret

macOS · 1Password · Bitwarden · coding agents

Your agents ask for secrets. You approve exactly what they get.

Agent Secret is a local approval broker for coding agents on macOS. Agents request specific secret references — with a reason and the exact command that will use them — and you get a native prompt before a single value is handed over.

Install with Homebrew View on GitHub

We've run it daily for months — dozens of approvals a day across personal, work, and shared vaults. None of us want to go back to raw secret-manager prompts.

Agent Secret approval prompt showing the reason, command, working directory, and the three secret references being requested
Why we built it

A Touch ID tap can't tell you what an agent is about to do.

Our team runs coding agents all day. To be genuinely useful, they need real access — deploy hooks, databases, cloud APIs, the same credentials we'd reach for ourselves. The more capable the fleet gets, the more dangerous broad, ambient access becomes.

Moving everything into a secret manager helped, because provider tools can gate reads behind local approval. But with several agents working in parallel, that prompt only tells you something wants a secret — not which agent, not which secret, not why, and not where the value is about to land. You end up approving blind, or quietly dumping secrets into .env files to kill the friction. Neither felt right.

How it works

Every request comes with context, so approving actually means something.

Agent Secret turns secret access into a native approval moment. The prompt shows the reason, the exact command, the working directory, and the precise references being asked for. Approve it and the values are injected into that one child process. Deny it and nothing leaks — and the prompt quietly tells you where a background agent is heading.

01

Exact references, not blanket access

Agents ask for op://... or bws://..., not "the secrets." You approve the specific references they named — nothing more.

02

A reason, in plain language

Every request carries why the secret is needed, written by the agent, before any value leaves its provider.

03

Delivered to the command, not the disk

Approved values go straight into the process you saw — never printed to logs, never written into the repo.

Demo

The approval flow is the product.

Put references in config, ask for the exact profile you need, and Agent Secret shows the command, reason, working directory, account, and requested references before anything resolves. The approved value is delivered only to that child process.

Read the Quick Start →
agent-secret exec --dry-run --json --profile terraform-cloudflare -- terraform plan
agent-secret exec --profile terraform-cloudflare -- terraform plan
Watch the approval moment: Agent Secret shows the reason, exact command, working directory, and requested secret reference before the approved value is injected into that command.
The migration

Trade .env files for references you can approve.

Profiles keep op:// or bws:// references in your project. Real values only appear at runtime, behind an approval — so your config and your agent's logs never hold a live credential.

Before · .env

# real values, committed to the repo more than once
CLOUDFLARE_API_TOKEN=cf_live_xxxxxxxxxxxxxxxxxxxx
DATABASE_URL=postgres://app:xxxxxxxx@db.prod/app

After · agent-secret.yml

version: 1
default_profile: terraform-cloudflare

profiles:
  terraform-cloudflare:
    reason: Terraform DNS management
    ttl: 10m
    secrets:
      CLOUDFLARE_API_TOKEN: op://Example/Cloudflare/token
agent-secret exec --profile terraform-cloudflare -- terraform plan

The approved child gets the real token. Your config and your agent's logs only ever see the reference.

Install

Install with Homebrew.

Agent Secret ships as a signed, notarized macOS app with the CLI bundled inside. There's nothing hosted to sign up for and no dashboard to configure.

brew tap kovyrin/agent-secret https://github.com/kovyrin/agent-secret
brew install --cask agent-secret
agent-secret skill-install
agent-secret doctor
Agent Secret item metadata approval prompt, showing field labels and references without secret values
Discovery

Let agents wire up their own profiles, without ever seeing a value.

When an agent needs to build a profile, it can inspect item labels, IDs, field types, and canonical references. It learns the shape of the item — never the secret inside it.

agent-secret item describe --format env-refs "op://Example Infra/Database Credentials"
Security boundary

A local approval broker — not a sandbox.

We'd rather be honest about the edges than oversell them. Here's what Agent Secret does for you, and where it deliberately stops.

What it protects

  • Configs and command flags carry references, not values.
  • The daemon fetches only the secrets you approved for the request.
  • Audit logs record metadata, never raw secrets.
  • Reusable approvals stay bounded by command, cwd, references, account, TTL, and use count.

Known limitations

  • It won't sandbox a malicious approved child process.
  • No Linux or Windows support yet.
  • No writing or updating secrets yet.
  • No GCP Secret Manager support yet.
Read the full threat model →
Good to know

What you'll need, and what we don't touch.

Requirements

  • macOS 14 or newer on Apple Silicon
  • 1Password desktop app with SDK integration, or Bitwarden Secrets Manager with official bws
  • Homebrew for the recommended install path

Privacy

Agent Secret is a local app and CLI. The site runs no analytics or ad cookies, and the app never sends raw secret values to us. Your credentials stay between you and your secret provider.

Read the privacy policy →
Open source

Built for real work, shared in the open.

Agent Secret is a tool we use every day, not a startup. It's open source and free. If it fits your workflow, install it. If it breaks, tell us — file an issue, steal the idea, send a PR.

View on GitHub File an issue