Agents reference API keys by vault_id — never the raw secret. Slopshop decrypts server-side, injects credentials into proxied requests, and logs every access. Your keys never touch agent memory.
When an AI agent handles raw credentials, the key exists in plaintext in the LLM context, tool call arguments, logs, and any downstream agent it passes data to. One leaked trace or one compromised intermediate agent exposes the credential.
Keys stored in agent working memory can appear in completions, traces, and debug logs.
In multi-agent chains, a raw key passed as a parameter propagates to every downstream agent.
Raw key usage leaves no per-request log. You can't tell when, how often, or by which agent a key was used.
If a key is hardcoded in agent prompts or configs, rotating it requires touching every reference manually.
The vault abstracts credentials behind opaque identifiers. Agents interact with vault_id strings — Slopshop handles decryption and injection at the proxy layer.
Developer stores credential via API or CLI
POST /v1/vault/set
Agent lists available credentials by name only
GET /v1/vault/list
Agent proxies request via vault_id — key injected server-side
POST /v1/vault/proxy
Every proxy access logged with timestamp and agent ID
GET /v1/vault/audit
Store a named credential. Slopshop encrypts it immediately using AES-256-GCM and returns a vault_id. The raw credential is never returned again.
{
"name": "openai-prod",
"credential": "sk-proj-..."
}
{
"status": "stored",
"vault_id": "vlt_7f3a9c2e1d4b...",
"name": "openai-prod"
}
// Raw credential is never returned after this point.
// Store vault_id in your agent's config or .env.
Agents can list all stored credentials by name and vault_id. Raw credentials are never included in list responses. This lets agents know what's available without ever touching the underlying secrets.
{
"credentials": [
{ "vault_id": "vlt_7f3a9c2e1d4b...", "name": "openai-prod", "created_at": "2026-03-31" },
{ "vault_id": "vlt_2b9d8e5f3a1c...", "name": "github-token", "created_at": "2026-03-28" },
{ "vault_id": "vlt_4e1f6a7b2c9d...", "name": "stripe-live", "created_at": "2026-03-20" }
]
}
// credential field is never present — only name + vault_id.
The proxy endpoint is the core of the vault. The agent provides a vault_id, a target URL, and optional headers. Slopshop decrypts the credential on the server, injects it as a Bearer token (or custom header), makes the request, and returns the response to the agent. The agent never sees the raw key.
{
"vault_id": "vlt_7f3a9c2e1d4b...",
"url": "https://api.openai.com/v1/models",
"method": "GET",
"inject_as": "Bearer"
}
// Slopshop decrypts "openai-prod", injects:
// Authorization: Bearer sk-proj-...
// Returns the raw API response to the agent.
SSRF protection is mandatory. The proxy blocks all RFC-1918 private ranges (10.x, 172.16-31.x, 192.168.x), loopback (127.x, ::1), and link-local (169.254.x) addresses. Only HTTPS targets are accepted. Attempts to proxy to internal infrastructure are rejected with 403.
Every proxy call is logged with the vault_id, target domain, HTTP method, response status, timestamp, and the agent API key that made the request. Use the audit log for compliance, anomaly detection, and key rotation decisions.
{
"entries": [
{
"vault_id": "vlt_7f3a9c2e1d4b...",
"name": "openai-prod",
"target": "api.openai.com",
"method": "POST",
"status": 200,
"agent_key": "sk-slop-...abc",
"timestamp": "2026-03-31T14:22:00Z"
}
],
"total": 1
}
The vault uses multiple independent security layers. Compromising any single layer is insufficient to recover a raw credential.
Every credential is encrypted with AES-256 in Galois/Counter Mode before writing to the database. GCM provides authenticated encryption — any bit flip in the ciphertext causes decryption to fail with an auth tag error.
Encryption keys are derived from the master secret using scrypt with N=16384, r=8, p=1. This makes brute-force attacks computationally expensive even with GPU acceleration.
GCM's 128-bit authentication tag is stored alongside each ciphertext. Any modification to the encrypted credential — or its IV — causes the auth tag check to fail on decryption, returning an error rather than garbage data.
The proxy resolves the target hostname and blocks requests to RFC-1918 ranges, loopback, and link-local addresses. Only public HTTPS endpoints are permitted, preventing credential exfiltration to internal services.
The proxy enforces HTTPS on all outbound requests. HTTP targets are rejected. This ensures the injected credential is never transmitted in plaintext over the network.
Every proxy call is attributed to the Slopshop API key that made the request. If a credential is misused, the audit log identifies which agent key was responsible.
Manage vault entries directly from the terminal with the slop vault command group.