API Stronghold
Sign Up
Agent Identities

Give Every Agent Its Own Identity

Non-human identities for scripts, pipelines, bots, and AI agents

Stop sharing credentials between automated systems. Agent Identities give each non-human actor its own scoped token, auditable trail, and zero-knowledge encryption — so you can revoke one agent without disrupting the rest.

Get Started with Agents Learn About Zero-Knowledge Encryption

What Agent Identities Provide

First-class non-human identity management built on the same zero-knowledge encryption that protects your human users.

Dedicated Identity

Each agent gets its own unique identity — no more sharing credentials between scripts, pipelines, and bots.

Scoped Token Access

Agents receive their own API token, scoped to specific deployment profiles. Revoke one without affecting others.

Zero-Knowledge Encryption

Agent tokens carry an encrypted copy of the master key. Secrets are decrypted client-side, never exposed to the server.

Scoped Permissions

Agents can read secrets from assigned profiles but cannot manage users, change settings, or access other profiles.

Expiration & Lifecycle

Set optional expiration dates on agent tokens. Activate, deactivate, or delete agents at any time.

First-Class Audit Trail

Every agent action is logged with the agent's identity — see exactly which agent accessed which secret and when.

Creating & Managing Agents

Set up an agent identity in under a minute.

1

Create an Agent

Navigate to the Agents page and click Create. Give your agent a descriptive name (e.g., "CI/CD Pipeline" or "Staging Deploy Bot") and optionally set an expiration date.

2

Copy the Token

The agent's API token is shown once at creation. Copy it immediately and store it securely — you won't be able to see it again.

3

Assign to Groups

Add the agent to groups that have access to the deployment profiles it needs. Agents inherit the group's profile access.

4

Authenticate

Use the token with the CLI or API to authenticate as the agent. The agent can then read secrets from its assigned profiles.

Agent Trust Model

Agents have scoped, least-privilege access. They can read secrets they need — nothing more.

Read secrets from assigned deployment profiles
Authenticate via CLI or API with scoped token
Appear in audit logs with distinct identity
Be added to groups for profile access
Manage other users or agents
Change organization settings
Access profiles outside assigned groups
View or modify billing information

CLI & CI/CD Integration

Authenticate your automated systems with a single command.

CLI Authentication 
# Authenticate with an agent identity token
api-stronghold-cli auth api-user --token <AGENT_TOKEN>

# Pull secrets for a deployment profile
api-stronghold-cli env pull --profile production
Docker / CI Pipeline 
# In your Dockerfile or CI script
ENV API_STRONGHOLD_TOKEN=$AGENT_TOKEN
RUN api-stronghold-cli auth api-user --token $API_STRONGHOLD_TOKEN
RUN api-stronghold-cli env pull --profile production -o .env
GitHub Actions 
# .github/workflows/deploy.yml
- name: Authenticate with API Stronghold
  run: api-stronghold-cli auth api-user --token ${{ secrets.AGENT_TOKEN }}

- name: Pull production secrets
  run: api-stronghold-cli env pull --profile production -o .env

Vibe Coding Safety

Set up your AI coding workflow so secrets can't leak — even with full-context assistants.

API Key Management

Centralized key storage, rotation, and team access control.

All Features

See the full platform — encryption, team management, deployment profiles, and more.

Stop Sharing Credentials

Give every automated system its own identity, its own token, and its own audit trail.

Start Managing Agent Identities Explore the CLI