The secret vault for AI agents.
Store once. Inject anywhere. Agents never see the keys.
Website · Docs
What is OneCLI?
OneCLI is an open-source gateway that sits between your AI agents and the services they call. Instead of baking API keys into every agent, you store credentials once in OneCLI and the gateway injects them transparently. Agents never see the secrets.
Why we built it: AI agents need to call dozens of APIs, but giving each agent raw credentials is a security risk. OneCLI solves this with a single gateway that handles auth, so you get one place to manage access, rotate keys, and see what every agent is doing.
How it works: You store your real API credentials in OneCLI and give your agents placeholder keys (e.g. FAKE_KEY ). When an agent makes an HTTP call through the gateway, the OneCLI proxy matches the request to the right credentials, swaps the FAKE_KEY for the REAL_KEY , decrypts them, and injects them into the outbound request. The agent never touches the real secrets. It just makes normal HTTP calls and the proxy handles the swap.
Architecture
Rust Gateway : fast HTTP gateway that intercepts outbound requests and injects credentials. Agents authenticate with access tokens via Proxy-Authorization headers.
: fast HTTP gateway that intercepts outbound requests and injects credentials. Agents authenticate with access tokens via headers. Web Dashboard : Next.js app for managing agents, secrets, and permissions. Provides the API the gateway uses to resolve which credentials to inject for each request.
... continue reading