HSM-backed vault · Append-only audit · Human-in-the-loop

Stop credential inheritance.
Give your agents a valet key, not your house keys.

AgentValet sits between your agents and the platforms they call. Each agent gets its own cryptographic identity, scoped to exactly what it needs. You approve the risky calls. Every action leaves an audit receipt. One revoke ends it instantly.

Get started free → See how it works
~30s Register your first agent
20 Platforms live now
$0 To start, no card

Free tier available. Live in under 5 minutes, or we'll wire your first agent with you on a call. 30-day money-back on paid plans.

Agent
invoice-processor
RS256 · signs JWT
AgentValet
verify_sig
check_scope
inject_cred
audit_write
Platforms
airtable
gmail
slack
github
hubspot
xero
Why this exists

A while back Dharmesh Shah described a valet key for AI agents. A key that starts the car but won't open the boot, the glovebox, or the front gate at home. I commented that I might build it. Then I did.

I'm Edwin. I build and run AI systems for government, legal, and enterprise teams out of Brisbane, and I'd watched too many agents handed the full keyring when all they needed was to start the car. AgentValet is that valet key, shipped.

I'm not reselling someone else's platform. I write the code and run it in production. I've spent fifteen years in regulated Australian environments where a leaked credential is a genuinely bad day. AgentValet is the thing I wanted and couldn't buy: every agent with its own identity, scoped to exactly what it needs, a human on the risky calls, and a trail you can hand an auditor without apologising for it.

The default we reject

House key or valet key? Most agents are running with the wrong one.

House key agent (the current default)
Full keyring. Every door.

The agent inherits your raw API keys via environment variables or a shared secrets store. It can read your email, write to your database, push to production, spend money, and delete files. None of that was intentional. It's just what "give the agent access" looks like when there's no governance layer in between.

  • No cryptographic identity per agent
  • No scope limits on what it can call
  • No human gate on risky actions
  • No audit trail you can hand an auditor
  • Revoking means rotating every key it touched
Valet key agent (what AgentValet gives you)
Starts the car. Nothing else.

Each agent has a unique RS256 identity and is granted only the specific scopes it actually needs. Risky calls pause for a human. Every action writes an immutable receipt. Revoke one agent in a single click and nothing else is touched.

  • Cryptographic identity per agent (RS256 keypair)
  • Deny-by-default scopes, granted per action
  • Human approval before anything risky runs
  • Append-only audit receipt on every call
  • One-click revocation, instant and cascading
How it works

From zero to governed in three steps. No keys in your repo.

01
Register your agent (~30 seconds)
Run npx @agentvalet/register from your agent project. An RS256 keypair is generated and the public key goes into the registry. The private key never leaves your machine. For Claude Code, the command also writes your CLAUDE.md and .mcp.json automatically.
02
Connect platforms, owner approves scopes
You connect platforms in the dashboard and grant each agent precisely the scopes it needs: read-only on one GitHub account, write on a specific Slack channel, nothing else. Credentials are stored with envelope encryption, one AES-256 key per credential, the master key held in a Key Vault HSM. Your agent never sees raw tokens.
03
Agents call via the proxy, every call logged
The agent calls the proxy with a short-lived JWT. In a single round trip, the proxy verifies the signature, checks the scope grant, decrypts the credential in-memory, forwards the call, and writes an immutable audit row. Risky calls pause for a human and resume when you approve, from your phone or browser. Every action is fully revocable at any point.
What you get

One governed surface for everything your agents reach for.

It's one proxy in front of everything your agents touch, so there's a single audit trail and a single place to pull the plug.

Governed MCP
Paste an MCP server URL. AgentValet wraps it.

Point AgentValet at any third-party MCP server and it becomes a governed platform: the bearer token is vaulted, the server's tools become scopes you grant per agent, and every call runs through the same approval and audit path as everything else. No token on your agent's disk, no token in your config. AgentValet also runs its own hosted MCP server over OAuth 2.1, so agents can connect without a local key file at all.

MCP server URL
https://your-mcp-server.io/mcp
Token, header, and query auth today. OAuth-mode coming soon.
Multiple accounts per platform
Two GitHub logins, three Google accounts, different Slack workspaces, each kept distinct. Grant scopes per connection, not per platform. The audit log records which account acted, every time.
Ask Valet (plain-English policies)
Press ⌘K and say "never let any agent send email without my approval." AgentValet drafts the policy for you to review. You decide what ships. Guardrails, scopes, and tag rules, described in natural language and enforced in the proxy.
Org-wide policies
Set a guardrail once and every agent in your org obeys it from that point on. Deny wins in a fixed cascade: org guardrails run first, then per-owner policy, then per-agent scope check. All three have to agree before a call is allowed.
Append-only audit receipt on every call
Every proxy call writes an immutable row in PostgreSQL with row-level security set to INSERT only (no UPDATE or DELETE, even with database credentials). Each row records the agent, the platform, the connection label (the real GitHub login or Google email), the scope used, and the outcome. Export to CSV, JSON, or PDF on Team and up.
Security model

Credentials that are genuinely hard to misuse.

The assumption underlying most secrets management is that if nobody can read the secret file, you're fine. That assumption breaks the moment an agent runs with inherited API keys and no scope enforcement, because now a compromised agent, a rogue prompt injection, or a careless scope grant becomes a master key.

AgentValet starts from a different position. Each credential gets its own AES-256 data encryption key. That key is itself encrypted by a master key held in a Key Vault HSM we don't control at the database layer. When a call comes in, the proxy decrypts the credential in-memory for that single request, then discards it. It never lands in a log, a response body, or a debug trace.

Scope enforcement runs before decryption. An agent without the right grant never triggers a decrypt at all. Risky actions (writes, deletes, financial operations) pause the request and wait for a human to approve from their phone or browser. If the approval doesn't come, the call doesn't run. Every decision, approved or denied, lands in the append-only audit log so you can reconstruct exactly what happened and when. Revoke an agent and the effect is immediate: its public key is removed from the registry, all scope grants are invalidated, and any in-flight requests are rejected.

Identity
RS256 keypair per agent. Private key never leaves the agent machine. The proxy verifies every request against the public key in the registry. No shared secrets anywhere.
Encryption
Envelope encryption: AES-256 DEK per credential, master key in a Key Vault HSM. Decrypted in-memory at call time only. Never logged.
Governance
Deny-by-default scopes. Human approval on risky calls. Append-only audit. Instant revoke. Circuit breaker auto-suspends on 3 auth failures.
What I won't compromise on

Convictions, not marketing copy.

I write the code and run it.

Not a reseller. Not a rebranded platform I'm badging and pitching. The proxy, the vault integration, the audit logic: I built it and I'm the person maintaining it. That matters when something goes wrong, because the person you're talking to is the person who can fix it.

Governance done properly, not routed around.

The audit trail and approval flows are the point. If your security team would call them security theatre on a review, I want to know before you pay me for it. The goal is something that survives a real security review, not something that merely passes a checkbox.

I'll tell you what isn't built yet.

Bring-your-own-key (BYOK) is in development. OpenClaw integration is coming soon. A few parts of the roadmap aren't shipped. I'd rather you know that than find out after signing up. The things that are live are live, and I'll say which ones those are.

A leaked credential is a genuinely bad day.

Fifteen years in regulated Australian environments means I've seen what happens when a secret gets out. I didn't build AgentValet for the theoretical threat. I built it because watching agents inherit full keyrings made me genuinely uncomfortable, and I couldn't find something to buy that fixed it properly.

I won't build someone's vague dream.

Undefined scope, free thinking, "we'll sort out the IP later": none of that. My thinking here is commercial and clear-eyed, which means if you want something AgentValet doesn't do, I'll tell you plainly rather than promise a roadmap I don't have. The product exists because I needed it. It keeps existing because other people need it too.

Observe Mode (free, no signup)

Watch every call your agent makes before you commit to anything.

Bring your own key. Your agent's calls relay through AgentValet and land in a live audit feed on a private link. Nothing is stored on our side. No account needed to start. When you're ready to switch on full governance, the trail converts in one click.

Metadata only. No request or response bodies are logged. Works with select catalog platforms on the free trial; a free account unlocks all 20.

Start observing free →
Works with your tools

Claude Code, Cursor, Codex, Hermes, Paperclip, and your own scripts.

One MCP endpoint. Connect it to your host in minutes, or register directly with npx @agentvalet/register. Every agent gets cryptographic identity, scoped credentials, and a full audit trail regardless of which tool is running it.

Paperclip Beta
Company-of-agents orchestrator. AgentValet adds the credential vault and per-agent scope enforcement.
Cursor
AI code editor. Add AgentValet MCP in .cursor/mcp.json. Agent-mode tools governed from day one.
Claude Code
npx @agentvalet/register wires the MCP config and CLAUDE.md automatically.
Claude Desktop
Paste the agentvalet server entry into claude_desktop_config.json.
Codex CLI
Add via codex mcp add or drop into .codex/config.toml.
Hermes
Nous Research's agent. Register AgentValet via hermes mcp add.
Factory Droid
Register via droid mcp add or .factory/mcp.json.
Your own scripts
Any agent that signs a JWT can use the proxy. Language-agnostic, HTTP-native.
See all integration guides →
Why trust this

Product proof, not promises.

Things you can actually verify, not things I'm asking you to take my word for.

The real install command
npx @agentvalet/register

Published on npm. Works today. Free tier, no card required.

Live today
  • 20 platform integrations live (Airtable, Gmail, Slack, GitHub, HubSpot, Xero, and more)
  • MCP server on npm, installable right now
  • Append-only audit log enforced at the database level (PostgreSQL INSERT-only RLS)
  • Envelope encryption with Key Vault HSM (the mechanics are in the docs)
  • Okta SSO live on Enterprise via verified domain
Honest beta line

It's still beta, and I'll tell you what isn't built yet rather than paper over it. If the audit trail and approval flow don't satisfy your team, walk away. The free tier is there to let you check before you trust me.

Bring-your-own-key is in development (sign up below to get notified). A handful of integrations are in testing, not yet live. If you need something specific, ask me directly.

Pricing

Early access pricing. Lock it in before launch.

AgentValet is in beta. Early-adopter pricing goes up at GA, and any plan you start now is locked in for as long as you stay subscribed.

Live in 5 minutes or we set it up with you · 30-day money-back · Agents keep running, no mid-workflow cutoffs · Every call logged and auditable
Free
$0 forever
 
For your first agent. No card required.
  • 2 agents
  • 2 platform connections
  • 100 calls/month
  • 3-day audit log
  • Human approval flows
  • Community support
Start free
Solo
$19 /mo
 
Beta pricing
Get started and test the waters.
  • 3 agents
  • 3 platform connections
  • 1,000 calls/month included
  • $0.02 per call after that
  • 7-day audit log
  • Human approval flows
  • Email support
  • 30-day money-back guarantee
Get started
Team
$129 /mo
 
Beta rate: yours for life if you start now
For agencies and operators at scale.
  • 50 agents
  • Effectively unlimited platform connections (999)
  • 50,000 calls/month included
  • $0.01 per call after that
  • 1-year audit log + CSV/JSON export
  • Human approval flows
  • Approval delegation (3 emails)
  • Mobile push approvals
  • Custom monthly spend alert
  • Priority support
  • 30-day money-back guarantee
Get started
Agency · Per-client isolation
Run agents across client workspaces without sharing a single key

A separate scoped identity per client, instant offboarding when an engagement ends, and an isolation trail each client's auditor will accept. Everything in Team, scaled to your whole book of clients.

Talk to us →
Your agents keep running. No mid-workflow cutoffs.

Calls beyond your included amount are tracked and billed at your plan's overage rate at the end of the month. You'll see the running total in your dashboard and we'll email you before your bill grows significantly. No surprises. Pay for what you use.

Enterprise
Governed agent access for the whole org

Every agent identified. Every action audited and attributed to the real person. Access gated by your SSO. Dangerous actions held for human approval. Everything in Team, plus the controls your security team will ask for before agents touch production.

  • Okta SSO, live today: access follows your identity provider via verified domain
  • Forensic audit: IP, geo, device, request ID on every action
  • Per-user OAuth: each person acts under their own identity per platform
  • 999 approval delegates · effectively unlimited agents, calls, and retention
Run a scoped pilot with your real agents and platforms. If the audit trail and approval flow don't satisfy your security team, walk away. No commitment.
Book a call → Request the security review pack See the full Enterprise overview →
How overage works

Your agents never stop mid-run. If you use more calls than your plan includes, we track the extra calls and add them to your next invoice at your plan's overage rate. No surprises. No cutoffs. Pay for what you use.

Pricing questions
Yes. Current pricing reflects where the product is right now. When AgentValet moves to GA, prices will go up. Any plan you start during beta locks in your rate for as long as you stay subscribed. No surprises, no grandfathering footnotes.
Yes. Every account starts on the Free plan: 2 agents, 100 calls/month, no card required. Stay on it as long as you like. Paid plans add a 30-day money-back guarantee on top.
Each time an AI agent makes an API request through AgentValet to an external platform (Slack, GitHub, Gmail, etc.) counts as one call. Read-only and write calls both count equally.
Yes, any time. Upgrades take effect immediately. Downgrades take effect at the next billing cycle.
Yes. Enterprise is provisioned by our team rather than self-serve checkout. Okta SSO is live today via verified domain. Book a call →
FAQ
API keys are static secrets that can't prove who is using them. AgentValet uses per-agent RS256 keypairs. The private key never leaves the agent, so every request is cryptographically attributed to a specific agent identity. Scope enforcement, human approval, and an append-only audit trail come on top of that.
Credentials never sit in plaintext anywhere a person can read them. Each one gets a unique AES-256 key; the master key lives in a Key Vault HSM; decryption happens in-memory inside our isolated proxy only at call time. Never logged. Every decrypt is audited.
Revocation is immediate and cascading. The agent's public key is removed from the registry, all scope grants are invalidated, and any in-flight requests are rejected. Deactivating the agent also revokes its stored OAuth refresh-token chain, so the upstream grant can't be reused.
Yes. AgentValet is agent-agnostic. The CLI registers any agent that can sign a JWT. For Claude Code specifically, npx @agentvalet/register automatically injects the correct CLAUDE.md configuration. Any agent that can make HTTP requests can use the proxy.
The audit log is backed by PostgreSQL with row-level security policies that allow only INSERT. No UPDATE or DELETE, even with database credentials. On Team and up you can export the full audit trail to CSV, JSON, or PDF for your SIEM or compliance tooling.
20 platform integrations are live today, including Airtable, Gmail, Slack, HubSpot, GitHub, Jira, Linear, Google Calendar, Microsoft Outlook, Xero, Google Sheets, Google Tasks, Microsoft Teams, Google Drive, and Google Docs. Each has OAuth scope-level approval. 5 more are in testing. See the full list →
Yes. Point AgentValet at a token-auth MCP server and it becomes a governed platform: its token is vaulted, its tools become scopes you grant per agent, and every call goes through the same approval and audit path. OAuth-mode third-party MCP servers are coming soon.
Yes. From Studio up you can invite teammates by email. They self-register and bind their own agent, with no shared keys. Team adds mobile-push approvals and email approval delegation. Enterprise adds SSO (Okta / SAML via verified domain), forensic audit columns, and per-user OAuth identity.

Still not sure it's the right fit?

Start on the free tier and run your first agent through it. You'll know within an hour whether it does what you need. If the audit trail and approval flow don't satisfy your team, walk away. I'd rather you find out for free than pay for something that doesn't fit.

Try the free tier → Ask me directly

No card for the free tier. 30-day money-back on paid plans. · Want to hold your own key? Get notified when BYOK ships →