Agent Master KeyWhat Agent Master Key never sees
Agent Master Key is local-first by design. The product's entire job is to let your AI agents act on your accounts without handing them — or us — your secrets.
Where your secrets live
When you connect a provider, the API key or token is stored in your Mac's Keychain, encrypted by macOS. A small policy broker runs on your own machine (on 127.0.0.1) and uses those secrets locally to fulfill an agent's allowed requests. The secrets are not uploaded to Agent Master Key — there is no cloud vault in the loop.
What your agent gets
Your agent receives a single scoped Master Key (amk_live_…). It can reach only the connectors and actions you granted, and it never receives your underlying provider secret. You can revoke that key instantly, or use the Kill Switch to pause every agent at once.
What is recorded
Actions taken through the broker are written to a local, redacted audit trail so you can see what happened. Secret values are not written to logs or proofs.
What we never see
- Your provider API keys, tokens, or OAuth credentials.
- The contents of the calls your agents make to providers.
- Your account passwords.
Honest about maturity
These statements describe the product's architecture and design intent. Agent Master Key is in private beta, and an independent third-party security review is part of our path to general availability. We will only make stronger security claims once that review supports them.
Questions about custody? Email [email protected]. Security reports: [email protected].