API keys in environment variables

Stop putting API keys in environment variables

Env vars hand the real key to everything in the process. There is a safer way.

Open source · Star on GitHub · No spam, just a launch ping

No keys in your environment

Secrets never touch the agent process, so a rogue dependency or prompt injection has nothing to steal.

Policy-checked on every call

Decide exactly which agents reach which providers. Everything else is denied and logged.

A verifiable audit trail

Every credential use is bound to a cryptographic identity, so you can prove who did what.

14: OAuth2 providers
31: API-key providers
1: place for every key
0: cloud accounts
MIT: license

The problem with API keys in environment variables

Mounting secrets as environment variables is the default, but anything in the process can read them: the agent, a rogue dependency, or a prompt-injected payload. Rotation means editing every template, and there is no record of what was used.

A safer pattern

Authsome runs a local proxy. Your agent calls APIs normally with a placeholder, and the real credential is added only as the request leaves the machine.

Secrets never enter the agent's environment.
Every request is policy-checked before a key is read.
Each use produces a verifiable audit event.

bash

npx skills add agentrhq/authsome

Start the quickstart and connect your first provider in minutes.

Stop leaking keys through env vars

Be first to try Authsome. Add your GitHub handle and we'll ping you at launch.