Authsome Logoauthsome.
Authsome Credential Gateway

Credential gateway for AI agents

Inject credentials at request time. Agents get access, never the secret itself.

Star on GitHubRead the docs
agent.py
# the agent never sees the real key
from openai import OpenAI

client = OpenAI()        # OPENAI_API_KEY = "authsome-proxy"
resp = client.responses.create(
    model="gpt-4.1-mini",
    input="hello",
)
authsome · request inspector200 · 0 keys exposed

Works with the tools your agents already call

GmailSlackGitHubLinearJiraNotionStripeFigmaGoogle DriveDropboxTwilioAWS
How it works

One gateway between your agents and the world

1

Verify identity

Each agent gets a cryptographic identity. Every request is attributed before anything else happens.

2

Check policy

The gateway evaluates which providers this agent may use. Unauthorized calls get a 403 and an audit event.

3

Inject credential

The real key is added only as the request leaves your machine. The agent never sees the secret.

What it does

Authsome sits between your agents and the outside world. Agents make normal API calls with a placeholder, and the gateway swaps in the real credential as the request leaves the machine. The key never enters the agent process.

Who it is for

  • AI platform teams standardizing credential handling across agent frameworks.
  • Security and compliance teams that need least-privilege access and audit trails.
  • Application developers who want to ship agents without wiring OAuth by hand.

How it works

  1. The agent sends a request through the local proxy.
  2. The gateway verifies the agent identity and checks policy.
  3. The real credential is injected and the request is forwarded.

Read the architecture overview

Everything you need to give agents safe access

Invisible Proxy Layer

Agents make API calls normally. The proxy injects the auth header before forwarding. Credentials are never in the execution environment.

Cryptographic Agent Identity

Every agent receives an Ed25519 key pair and a did:key DID. Every request carries a Proof-of-Possession JWT.

Full Auth Lifecycle

Handles PKCE, Device Code, Dynamic Client Registration, Service Accounts, and API key flows. Continuous automatic rotation.

Verified Audit Trails

Every credential use produces a structured, identity-bound audit event. Export directly to OpenTelemetry.

Access Policies

Specify exactly which agents can use which providers. Unauthorized agents get a 403, evaluated before header injection.

One-Click Revoke

Immediately invalidate the header cache, terminate access, or revoke an agent's entire vault access instantly.

Give your agents access, not your keys

Authsome is launching soon. Drop your GitHub handle and we'll notify you the moment the credential gateway is live.

Star on GitHub

No spam. Just a launch ping. Unsubscribe anytime.