Per-account encryption · HSM-backed keys · Every decrypt audited

Your tokens,
locked to a key dedicated to your account.

Every credential your agents use gets its own encryption key, sealed with a per-account master key stored in an HSM-backed Key Vault. Plaintext exists only in proxy memory at call time. Never logged. Every decrypt audited. Stop parking live API keys in .mcp.json or .env files. One revoke freezes access instantly.

Lock down your first agent → Self-host - coming soon
$ npx @agentvalet/register --name "My Agent" --scope slack:chat:write
RS256 No shared secrets
20 live Platforms live today. ↗
<5min Time to first agent
Dedicated key One per account, never shared
Audited Every decrypt logged
Agent
invoice-processor
RS256 · signs JWT
AgentValet
verify_sig
check_scope
inject_cred
audit_write
Platforms
stripe
gmail
slack
github
notion
hubspot
How it works

Setup in minutes. Govern from day one.

Three steps to deploy a fully governed agent that your whole team can audit.

01
Register your agent
Run npx @agentvalet/register from your agent project. An RS256 keypair is generated locally and the public key is recorded in the registry. When registering via CLI, the private key is written to your machine and is not transmitted. Your agent signs every request with it.
02
Connect platforms
Your owner approves scopes in the dashboard. AgentValet stores credentials using two layers of encryption: each token gets its own unique lock, and that lock is sealed with a master key that belongs only to your account — stored in a secure hardware vault (Azure Key Vault). Every customer gets their own master key. Your agents never see the raw tokens.
03
Call via proxy
Agents call POST /v1/actions with a short-lived JWT. The proxy verifies the signature, checks scope grants, injects credentials in-memory, forwards the call, and writes an append-only audit record (INSERT-only, no UPDATE or DELETE), in one round trip.
Architecture

Four things have to fail before a credential leaks.

A leaked .env file isn't enough. A compromised laptop isn't enough. A rogue agent isn't enough. Each layer below is independent — an attacker has to defeat all four to reach a live credential.

Identity
Stops a stolen agent file from impersonating a real one.
RS256 keypair per agent No shared secrets CIMD identity documents + JWKS AuthZEN policy evaluation
Governance
Stops a verified agent from doing something it shouldn't.
Deny-by-default scopes Human approval on writes One-click revocation
Integration
If our database leaks, your tokens are still encrypted with a per-account key held in an isolated Key Vault.
One encryption key per customer Master key in HSM-backed Key Vault RFC-8693 scope-attenuated delegation 20 platforms live, 5 in testing
Observability
Catches the breach you didn't prevent — so you can stop the next call.
Append-only audit log Per-call credential provenance Mobile push approvals (Team+) Anomaly alerts (Team+)
Security model

Six layers. Defence in depth.

Every request passes through a layered gauntlet. No credential ever touches a log.

Cryptographic identity
Each agent holds an RS256 private key. The proxy verifies every JWT against the public key in the registry. No shared secrets, no API keys that can leak.
Deny-by-default permissions
No agent can access any platform unless a human explicitly grants a specific scope. The permission matrix is per-agent, per-platform, per-action, not role-level blobs.
Your credentials, locked to your account
Every credential gets its own unique encryption key (DEK). That key is sealed with a per-account master key (KEK) stored in an HSM-backed Key Vault. The KEK never leaves the vault. Decryption happens in proxy memory only, once per call. Never logged. Every decrypt audited. Each audit row records which credential and which account connection were used.
Human-in-the-loop approval
Destructive or financial operations require explicit human approval before execution. Approvers need no AgentValet account: approvals work via magic link. Approvals expire, can be revoked, and every decision is recorded in the audit log. Mobile push approvals available on Team+.
Circuit breaker
Three auth failures or five consecutive API errors auto-suspend the agent. Suspension triggers an immediate push notification. Human review required before reactivation.
Append-only audit log
Every proxy call is append-only via PostgreSQL row-level security. No UPDATE or DELETE. Each row includes agent identity, account connection, scope used, response status, and latency. CSV/JSON/PDF export on Team plan and above.
Use cases

From solo tinkerer to enterprise fleet.

AgentValet scales with you. One config file to hundreds of governed agents across teams.

Solo
Personal agent stack
Register your coding assistant, email summariser, and calendar agent in minutes. Each gets its own identity and scoped credentials. No more shared API keys in .env files.
  • CLI registration in <2 min
  • Automatic CLAUDE.md injection
  • Free tier: 2 agents
Agency
Multi-client agent ops
Run agents across multiple client workspaces. Each agent is scoped to its client's platforms. Revoke access instantly when an engagement ends. No credential rotation ceremony.
  • Per-client credential isolation
  • Instant scope revocation
  • Shared audit log across team
Enterprise
Governed agent fleet
Run a governed agent fleet with per-agent scope enforcement, approval workflows, and a full audit trail. Bring-your-own-vault (BYOK) is in development for teams that need to hold their own master key. Every call goes through your security team's approval workflow.
  • CIMD identity with JWKS and AuthZEN policy evaluation
  • RFC-8693 scope-attenuated delegation chains
  • Audit export CSV/JSON/PDF (Team+)
  • Okta SSO live: access follows your identity provider via verified domain
Encryption model

Your tokens, locked to you.

Per-account keys in an HSM-backed Key Vault. A DEK per credential. Plaintext exists only in proxy memory at call time. Every decrypt audited.

Your credential
Every token gets its own lock
The moment you connect a platform, the access token is wrapped in its own unique encryption key. The original token is never written to disk or put in a log — only the locked version ever touches storage.
Your account's master key
A dedicated key, per account
Your account gets a dedicated master key (KEK), provisioned in an HSM-backed Key Vault. That master key seals each individual credential's DEK. The KEK never leaves the vault. No two accounts share a vault key. Connection identity is auto-probed: each connection is labelled with the real GitHub login, Google email, or equivalent account identifier.
The trust boundary
Every access is logged. No quiet path.
Your master key is isolated to your account in the Key Vault. To decrypt a credential, the vault key must be invoked, and every invocation is logged. There is no shared master key across accounts. Bring-your-own-vault (in development) will give teams that need it a structural guarantee: your vault, your key, no access from us.
Pricing

Early access pricing. Lock it in before launch.

AgentValet is in beta. These prices are for early adopters and they go up at GA. Sign up now and your rate is locked for life.

30-day money-back guarantee · Beta pricing locks in at signup · No increases for early members · Agents keep running, no mid-workflow cutoffs · Every call logged and auditable
Solo
$19 /mo
 
Beta pricing
Get started and test the waters.
  • 3 agents
  • 3 platform connections
  • 1,000 calls/month included
  • $0.02 per call after that
  • 7-day audit log
  • Human approval flows
  • Email support
  • 30-day money-back guarantee
Get started
Team
$129 /mo
 
Beta rate — yours for life if you start now
For agencies and operators at scale.
  • 50 agents
  • Unlimited platform connections
  • 50,000 calls/month included
  • $0.01 per call after that
  • 1-year audit log + CSV/JSON export
  • Human approval flows
  • Approval delegation (3 emails)
  • Mobile push approvals
  • Custom monthly spend alert
  • Priority support
  • 30-day money-back guarantee
Get started
Coming Soon
Enterprise
Custom
 
Self-hosted and team features in the works.
  • Unlimited agents
  • Unlimited calls
  • Custom audit retention
  • Okta SSO (contact sales)
  • Team seats
  • Bring your own vault (in development)
  • Dedicated support
Get started
How overage works

Your agents never stop mid-run. If you use more calls than your plan includes, we track the extra calls and add them to your next invoice at your plan's overage rate. You'll see the running total in your dashboard, and we'll email you before your bill grows significantly. No surprises. No cutoffs. Pay for what you use.

Pricing questions
Yes. Current pricing reflects where the product is right now. When AgentValet moves to GA, prices will go up. Any plan you start during beta locks in your rate for as long as you stay subscribed — no surprises, no grandfathering footnotes.
Every plan comes with a 30-day money-back guarantee. Try it risk-free and get a full refund if it's not right. No questions asked.
Each time an AI agent makes an API request through AgentValet to an external platform (Slack, Stripe, Gmail, etc.) counts as one call. Read-only calls and write calls both count equally.
No. Your agents keep running. Calls beyond your included amount are tracked and billed at your plan's overage rate at the end of the month. You'll see the running overage cost in your dashboard in real time.
Yes. On the Team plan you can set a monthly spend alert. We'll notify you when your estimated bill reaches your chosen threshold. On Solo and Studio, you'll receive email alerts at 75% and 90% of your included calls, and again when overage starts.
Yes, any time. Upgrades take effect immediately. Downgrades take effect at the next billing cycle.
Not yet. Join the notify list and we'll reach out when Team and Enterprise features are ready. Early access users get a discount.
Deployment

Your key. Your Key Vault.

Hold your own master key in a Key Vault you control, or let us handle the ops while you build.

Bring your own key - in development
Bring your own key
Point AgentValet at a Key Vault HSM you control. The master key that seals every credential lives in your tenancy, so we never hold your root key. We run the proxy and storage, you keep the key.
  • Your own Key Vault HSM holds the master key
  • Per-org envelope encryption, sealed with your key
  • Revoke the key in your vault to cut us off
  • Proxy and storage stay managed by us
In development, get notified
Hosted · Available now
We handle the ops
Get a production-grade AgentValet instance running in under 5 minutes. We manage availability, backups, and security patches. You focus on building agents.
  • Production-grade infrastructure
  • Automatic security updates
  • Per-account HSM-backed Key Vault
  • Security model documented at /security
Start in 5 minutes →
For Paperclip Companies

Paperclip runs your agents.
AgentValet keeps them honest.

Paperclip orchestrates who does the work. AgentValet controls what they're allowed to touch, and proves it. Every platform call is credentialed, scoped, rate-limited, and logged. One revoke to stop any agent, instantly, across your whole company.

Connect AgentValet to Paperclip → Read the integration docs →
The gap Paperclip leaves open
Credentials everywhere
Every Paperclip agent config that touches a SaaS platform holds a live credential. One leaked config file, one breach.
No audit trail per agent
Paperclip logs what tasks ran. It doesn't log what your Slack agent actually sent, or what your Stripe agent actually charged.
Kill switch is too slow
Revoking an agent in Paperclip stops future runs. It doesn't stop the credential the agent already holds from being used right now.
What AgentValet adds

AgentValet sits between your Paperclip agents and every SaaS platform they touch. Agents never hold real credentials. They hold a scoped valet key that AgentValet controls.

One credential, zero exposure
Your Paperclip agents authenticate via AgentValet using a short-lived, scoped token. The real API key never leaves AgentValet's vault.
Per-agent permission matrix
Set exactly which platforms each Paperclip agent can touch and which actions it can take. Your Finance agent gets Stripe read-only. Your Marketing agent gets Buffer write. Nothing bleeds across.
Human-in-the-loop for high-stakes calls
Flag specific scopes, stripe:charge and mail:send, as requiring your approval. AgentValet holds the call and only proceeds when you say so.
Full audit trail, per agent, per call
Every platform call any Paperclip agent makes is logged with the agent identity, platform, scope, timestamp, and outcome. Export to CSV. Compliance-ready.
Why AgentValet
Paperclip alone Paperclip + AgentValet
Agent orchestration
Budget controls
Credential vault
Per-agent scope enforcement
Human approval for sensitive calls
Per-call audit log
One-click agent revoke Suspends future runs Revokes credentials now
IETF AIMS compliant identity

"Paperclip is the company. AgentValet is the security desk at the door."

Why now
97M
MCP monthly downloads, and 66% of MCP servers have known security findings
The ecosystem is moving faster than the security layer. Every week more agents go into production touching real platforms with real credentials.
53K
Paperclip GitHub stars in 6 weeks
The "company of agents" model is not a thought experiment. Developers are running real autonomous businesses on Paperclip today. Those businesses need a security layer.
Mar 2026
IETF published the agent auth draft
The industry is converging on standards. AgentValet runs AuthZEN 1.0 policy evaluation and RFC-8693 scope-attenuated delegation today. CIMD identity documents with JWKS are live. Getting ahead of the compliance wave is the window.
How it works
1
Agent wakes in Paperclip
Task fires. Agent needs to call Slack, Stripe, or Gmail.
2
AgentValet issues scoped valet key
Short-lived token scoped to exactly the platforms and actions the agent needs.
3
Agent calls platforms via AgentValet proxy
Every call is validated, scoped, and forwarded. Unapproved actions are held for review.
4
Call logged, credentials never exposed
Append-only audit entry. You stay in control. One revoke kills access instantly.

"The agent does the work. AgentValet holds the keys."

How to connect

Three steps. One setup. Every agent covered.

STEP 1
Install the adapter
npm install @agentvalet/paperclip-adapter
One npm package. Register it in your Paperclip server, UI, and CLI registries.
STEP 2
Set three env vars
AGENTVALET_PROXY_URL=https://api.agentvalet.ai
AGENTVALET_OWNER_ID=your-owner-id
AGENTVALET_COMPANY_KEY=your-rs256-key
Set once per Paperclip company. Every agent inherits automatically.
STEP 3
Agents register themselves
On first heartbeat, each agent auto-registers with AgentValet. You approve it in the dashboard. Set which platforms it can touch and what it's allowed to do. Done.

No per-agent config. No credential juggling. One setup, every agent in your Paperclip company covered.

"The vision: one dashboard, one revoke button, every agent governed. We're opening early access now."

Give your Paperclip company a security desk.

Connect in minutes. Approve your first agent before your next heartbeat fires.

Get started → Read the docs →
FAQ

Common questions.

On the hosted plan: not by default, but we have the technical ability to. Your credentials are locked with your account's dedicated master key, stored in an HSM-backed Key Vault. The master key never leaves the vault. AgentValet invokes that key to lock and unlock credentials when an agent makes a call. Every invocation is logged and auditable. Bring-your-own-vault (in development) will give teams a structural guarantee: your Key Vault, your key, no access path for us. If you need that guarantee today, get in touch and we can discuss early access.
API keys are static secrets that can't prove who is using them. AgentValet uses per-agent RS256 keypairs. When registered via CLI, the private key stays on the registering machine, so every request is cryptographically attributed to a specific agent identity. You also get scope enforcement, human approval, and an append-only audit trail on top.
On the hosted tier, credentials are encrypted before storage and are only decrypted in-memory at call time inside our isolated proxy. They are never stored in plaintext or logged. Bring-your-own-vault (in development) will let you hold the master key in a Key Vault you control, so we never hold your root key.
Revocation is immediate and cascading. The agent's public key is removed from the registry, all its scope grants are invalidated, and any in-flight requests are rejected. If you use CAEP/SSF, downstream platforms that support the standard receive a revocation signal within seconds.
Yes. AgentValet is agent-agnostic. The CLI registers any agent that can sign a JWT. For Claude Code specifically, npx @agentvalet/register automatically injects the correct CLAUDE.md configuration and hooks. Any agent that can make HTTP requests can use the proxy.
The audit log is backed by PostgreSQL with row-level security policies that allow only INSERT. No UPDATE or DELETE. App-level credentials cannot modify historical records. Service-role access is separately controlled and monitored. On Team plan and above, you can export logs to CSV/JSON/PDF for an independent copy.
20 platform integrations are live today, with 5 in testing. Live integrations include GitHub, Slack, Gmail, Stripe, Notion, HubSpot, Airtable, Google Calendar, Microsoft Outlook, Supabase, Clerk, Google Sheets, Google Tasks, Microsoft Teams, Google Drive, and Google Docs. Each has OAuth scope-level approval. More are added regularly. See all integrations →

Give your agents an identity they deserve.

Deploy in 5 minutes. 30-day money-back guarantee. Cancel any time.

Get started → Self-host - coming soon