BlackVault | Your AI Agents. Under Control.

open source · MIT · credential firewall for AI agents

Arm your AIagents.Never handover thekeys.

scroll ↓

Vault the secret. Hand the agent a scoped bvt_ token. Cap it, audit it, kill it in one click — and even prompt-injected, it cannot steal the key or misuse it.

Start freeStar on GitHub

blackvault — egress firewall

ONE KEY, VAULTED. A SCOPED TOKEN PER AGENT.

KILL IT IN ONE CLICK. ZERO BLAST RADIUS.

OpenAI/Anthropic/Google/Nebius/Claude Desktop/Cursor/Cline/LangChain/CrewAI/AutoGen/GitHub/Stripe/

// the key your agent never sees

sk-live-51H8aZ7pQxR3mN9kV

VAULTED · ENCRYPTED · SCOPED ↓

bvt_3f9a2c8e4d

The agent gets this token — never your key. Cap it, audit it, and revoke it in one click.

// what ships

The guardrails agents were missing.

Egress Firewall

Give an agent your GitHub / Stripe / DB key through a scoped token. Host pinned, methods and paths allowlisted, secret injected server-side.

MCP Server

A drop-in MCP server for Claude Desktop, Cursor and Claude Code. The config holds a bvt_ token, never a provider key.

Encrypted Vault

AES-256-GCM with per-key derived keys. Decrypted only in-flight, never returned to the agent.

Universal Gateway

One OpenAI-compatible endpoint for every provider. Auto-routes by model, translates tool calls and images.

Instant Kill Switch

Revoke a token, a key, or everything. The next call fails immediately.

Budget & Rate Caps

Per-token spend caps and RPM/RPD limits, enforced atomically — a burst can't blow past the cap.

// drop-in setup

Connect in 30 seconds.

Mint a bvt_ token, then plug it into any MCP client — or broker any API key over HTTP. Your config holds the token, never your real key.

Connect via MCP

{
  "mcpServers": {
    "blackvault": {
      "url": "https://black-vault-murex.vercel.app/api/mcp",
      "headers": { "Authorization": "Bearer bvt_your_token" }
    }
  }
}

Drop into claude_desktop_config.json or mcp.json. Governed by your budget caps, model limits and kill switch.

Broker any API key

# allowed by policy -> 200, real key injected server-side
curl https://black-vault-murex.vercel.app/api/egress/user \
  -H "Authorization: Bearer bvt_your_token"

# prompt-injected misuse -> 403 blocked + audited
curl -X DELETE https://black-vault-murex.vercel.app/api/egress/repos/you/app \
  -H "Authorization: Bearer bvt_your_token"

Injected server-side toward a pinned host. A prompt-injected delete or exfil attempt is blocked and audited — the agent never sees the key.

Three steps. Zero blast radius.

Vault the secret

Add an API key or credential. Encrypted with AES-256-GCM using a per-key derived key — and never returned to the agent.

Mint a scoped token

Generate a bvt_ token per agent with a policy: allowed hosts, methods and paths, a budget cap, and rate limits.

Ship it safely

The agent works through the token — it cannot see, steal, or misuse the secret. Every call is audited; one click kills it.

Give your agents real power, safely.

Free during beta. Open source. Self-hostable. Set up in two minutes.

Start freeStar on GitHub