AnimaAnima
Sign inGet Started
← Back to blog

Managing AI Agent Credentials with Anima Vault

How to use the Anima Vault for secure storage and management of API keys, passwords, and OAuth tokens with per-identity scoping and audit logging.

Anima Team2 min read
#tutorial#vault#credentials

AI agents often require access to third-party services, necessitating the secure storage of sensitive credentials. Hardcoding these or using insecure environment variables creates significant risk. Anima Vault, powered by Vaultwarden, provides a dedicated infrastructure for managing these secrets at scale.

Scoping Credentials to Agent Identities#

The core principle of Anima Vault is identity-based access control. Secrets are never stored globally; they are scoped to specific agent identities. This ensures that an agent only has access to the credentials it explicitly needs for its assigned tasks.

import { Anima } from "@anima/sdk";
 
const am = new Anima(process.env.AM_API_KEY);
 
const identity = await am.identities.get("agent_123");
 
// Create a new secret in the agent's vault
const secret = await am.vault.secrets.create({
  identityId: identity.id,
  key: "OPENAI_API_KEY",
  value: "sk-proj-...",
  type: "api_key"
});

Secure Retrieval and Injection#

Agents retrieve secrets dynamically at runtime. This prevents secrets from persisting in log files or memory dumps outside of the execution context.

// Retrieve a specific secret
const apiKey = await am.vault.secrets.get(identity.id, "OPENAI_API_KEY");
 
// Use the secret in a call
const response = await fetch("https://api.openai.com/v1/chat/completions", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${apiKey.value}`
  },
  body: JSON.stringify({ ... })
});

Automatic Rotation and Life Cycles#

For higher security, Anima supports secret rotation. You can define a lifecycle for credentials, triggering a rotation webhook before expiration.

const rotatingSecret = await am.vault.secrets.create({
  identityId: identity.id,
  key: "DATABASE_PASSWORD",
  value: "temporary-pwd",
  rotation: {
    interval: "30d",
    webhookUrl: "https://agent-api.com/rotate-db-secret"
  }
});

Audit Logging and Compliance#

Every access request to the vault is logged. This provides a complete audit trail of when and where an agent used a particular credential. Compliance reports can be generated per identity or per organization.

const logs = await am.vault.audit.getLogs({
  identityId: identity.id,
  limit: 100
});
 
logs.forEach(log => {
  console.log(`${log.timestamp}: ${log.action} on ${log.secretKey}`);
});

Best Practices for Agent Vaults#

  • Use the Principle of Least Privilege: Only grant an agent access to the minimum set of credentials required for its function.
  • Enable MFA for Human Administrators: While agents use API keys, ensure that humans managing the vault have Multi-Factor Authentication enabled.
  • Avoid Long-Lived Credentials: Whenever possible, use OAuth tokens or short-lived API keys that can be refreshed automatically by the vault's rotation engine.
  • Regularly Rotate Root Keys: The master keys used to encrypt the agent's vault should be rotated according to your organization's security policy.

By centralizing secret management within the Anima infrastructure, you reduce the attack surface and simplify the deployment of autonomous AI agents across diverse environments.

Stay Updated

Get the latest on AI agent identity, delivered weekly.