onecli: a secure credential injection gateway that prevents AI agents from accessing raw API keys

What it solves

OneCLI provides a secure way for AI agents to access external APIs without requiring the agents themselves to hold raw API keys. This eliminates the security risk of baking credentials into agent code or configurations, allowing developers to centraltize secret management and key rotation.

How it works

OneCLI acts as an open-source gateway between AI agents and the services they call. You store your real API credentials in an encrypted vault (AES-256-GCM), and provide your agents with placeholder keys. When an agent makes an HTTP request through the gateway, OneCLI matches the request to the correct credentials based on host and path patterns, swaps the placeholder for the real key, and injects it into the outbound request. The agent never sees the real secrets.

Who it’s for

Developers building AI agents that need to interact with multiple third-party APIs securely.

Highlights

• Transparent credential injection: Agents make standard HTTP calls while the gateway handles authentication.
• Rust-powered gateway: A fast, memory-safe gateway for intercepting and injecting credentials.
• Encrypted storage: Secrets are encrypted at rest and only decrypted at request time.
• Multi-agent support: Each agent is assigned its own access token with scoped permissions.
• Vault integration: Ability to connect to password managers like Bitwarden for on-demand injection.
• Easy deployment: Quick start via a single curl command or Docker Compose.