While building an agent last week, I realized something
uncomfortable: my agent had my live Payment API key sitting in its
context window.
One prompt injection attack. One malicious tool response. One
leaked log file. And that key is gone.
I couldn't find a clean solution, so I built one.
What I built
AgentGuard is a credential proxy for AI agents. Instead of giving
your agent real API keys, you give it a token. When the agent makes
an API call, it goes through the AgentGuard proxy which:
- Validates the agent token
- Decrypts the real credential server-side
- Injects it into the request
- Forwards to the target API
- Logs the call
The agent never sees the real key. Ever.
The code change is 3 lines
Before:
requests.post("https://api.stripe.com/v1/charges",
headers={"Authorization": "Bearer sk_live_real_key..."})
After:
requests.post("https://proxy.agent-guard.dev/v1/charges",
headers={
"X-AgentGuard-Token": "your_agent_token",
"X-AgentGuard-Credential": "your_credential_id"
})
That's it. Base URL changes, two headers added, everything else
stays the same.
What you also get
- Full audit log of every API call your agent makes
- Instant revocation — one click kills an agent's access
- Zero-knowledge encryption — keys encrypted in your browser, we literally cannot read them
Try it
agent-guard.dev — free to start, no credit card.
Would love feedback from anyone building agents in production.
What am I missing? What would make this actually useful for you?
Top comments (0)