Infisical’s Agent Vault is an open-source HTTP proxy that injects credentials at the network layer so agents never receive or see secrets.
Key Takeaways
Agents get a scoped session and HTTPS_PROXY env var; Agent Vault intercepts outbound HTTPS requests and injects credentials before forwarding upstream.
Credentials are encrypted at rest with AES-256-GCM; an optional Argon2id-wrapped DEK means password rotation does not trigger re-encryption of stored secrets.
Works with any HTTP-speaking agent process: Claude Code, Cursor, Codex, custom Python/TypeScript agents, or containerized sandboxes via Docker/Daytona/E2B.
Container sandbox mode uses iptables-locked egress so a non-cooperative child process physically cannot bypass the proxy, regardless of prompt injection attempts.
Request logs capture method, host, path, status, latency, and credential key names but never bodies, headers, or query strings; retention is configurable per vault.
Hacker News Comment Review
Commenters identified concrete gaps: OAuth2 token-refresh responses can return new tokens directly to the agent in the payload, bypassing the proxy’s credential-hiding guarantee.
There is open skepticism about whether proxy-layer isolation is sufficient if the agent can introspect its own environment or reverse-engineer vault access; the container sandbox with iptables egress is seen as the stronger threat model.
Multiple builders noted they had whiteboard designs for exactly this pattern, suggesting unmet demand, and several raised questions about standards for short-lived identity delegation (OAuth tokens vs. long-lived static credentials) as a complementary or successor approach.
Notable Comments
@wfinigan: Had an internal design for this exact pattern when Agent Vault dropped; calls out that existing solutions are tied to specific cloud vendors or protocols like MCP.
@sandeepkd: Flags that endpoints without credential requirements could still receive injected credentials if the proxy applies them indiscriminately, and that some services can return refreshed tokens in response bodies.
@hebetude: “I’ve seen it reverse engineer many things to expose the underlying credentials” – argues firewall-enforced network isolation is the only reliable mitigation.
