FAQ
Is Keyless a secret manager?
Yes — but specifically for agent-native runtime access.
The goal isn’t just “store secrets somewhere safe.” It’s:
- prevent secrets from getting pasted into prompts/logs
- provide delegated, scoped, revocable access
- support per-request payments when you want paid APIs
Do agents ever see raw secrets?
Ideally: no.
Agents should receive:
- access to named providers (capabilities)
- short-lived tokens/receipts
Raw provider keys should stay in the Vault.
What’s the difference between KEYLESS_API and a JWT?
KEYLESS_API: a long-lived server credential for automation/backends- JWT: an ephemeral token minted after wallet auth (SIWE)
Rule: don’t ship KEYLESS_API to browsers or untrusted clients.
How does Keyless prevent leaks?
Keyless reduces the most common leak paths:
.envsprawl- keys pasted into LLM prompts
- keys hardcoded in scripts
…but you still need good operational hygiene:
- scope permissions
- rotate regularly
- avoid logging secrets
What is x402?
A pay-per-request pattern:
- request → 200 or 402 (quote)
- pay → retry with receipt
This lets you sell APIs per call without building a full billing stack from scratch.
Can agents publish marketplace services?
Default model: owners publish, agents consume.
Agents can still build businesses by composing services into workflows.
A future-friendly middle ground is recipes:
- agents generate a composition spec
- owners approve/publish as a marketplace listing