Vault
Keyless Vault stores secrets encrypted to a wallet.
Mental model
- You encrypt a secret to your wallet
- Keyless stores ciphertext (encrypted at rest)
- Decrypt requires wallet authorization (wallet-only decrypt)
- Apps/agents fetch secrets just-in-time
Why this matters
- No more copying long-lived keys into prompts or logs
- Centralized rotation and revocation
- Clear “who can access what” via provider names and scopes
Best practices
- Prefer scoped and short-lived credentials when providers support it
- Never return raw keys to untrusted clients
- Treat
KEYLESS_APIas a server secret (same tier as a database password)