Zero-Knowledge Vault: How Agents Use Secrets They Never See

The number one security risk with autonomous AI agents isn't prompt injection or hallucination. It's credential exfiltration. Give an agent your Stripe API key and it can send it anywhere — to a log, to a webhook, to an attacker's server via a manipulated API call.

Most platforms solve this by... not solving it. They tell you to put secrets in environment variables and trust the agent not to leak them. That's not security. That's hope.

Oceum's Zero-Knowledge Vault takes a different approach: agents never see the secret at all.

The blind relay

Instead of giving an agent a raw API key, you store the credential in the vault. The vault returns a vault token — a reference handle like vtk_a8f3.... The agent holds the token, not the secret.

When the agent needs to make an authenticated API call, it sends the request through Oceum's vault proxy. The proxy:

1. Receives the agent's request (target URL, method, headers, body)
2. Validates the vault token and checks access policies
3. Verifies the target URL is on the token's domain allowlist
4. Decrypts the credential server-side (AES-256-GCM)
5. Injects the credential into the request using the stored injection template
6. Forwards the request to the target API
7. Returns the response to the agent
8. Logs the call with target host, method, and status code

The agent gets its API response. The secret never leaves the server. That's the blind relay.

Domain locking

Every vault token has a target_domains field — a comma-separated allowlist of domains the credential can be used against. A Stripe key locked to api.stripe.com can't be proxied to evil-server.com, even if the agent tries.

The proxy resolves the target URL, extracts the hostname, and checks it against the allowlist. If it doesn't match, the request is rejected before any decryption happens.

SSRF prevention

Because the proxy makes outbound HTTP requests on behalf of agents, it's a natural SSRF target. The vault proxy blocks:

• Localhost: 127.0.0.0/8, [::1]
• Private IPs: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
• Link-local: 169.254.0.0/16
• Cloud metadata: 169.254.169.254 (AWS/GCP metadata endpoint)

DNS resolution happens before the request is made. If the resolved IP falls into any blocked range, the request is killed.

Injection templates

Different APIs expect credentials in different places. The vault supports three injection modes:

• header:Authorization:Bearer {{secret}} — injects as an HTTP header
• body:api_key — injects into the JSON request body at a given path
• query:key — appends as a URL query parameter

Templates are stored per-token when the credential is first vaulted. The agent never needs to know how the credential is injected — it just calls the proxy with the vault token and the target request.

Audit trail

Every proxy call is logged: which agent, which vault token, which target host, HTTP method, response status code, and timestamp. Security — Oceum's security agent — runs daily audits that flag:

• Direct retrieves on domain-locked tokens (why is an agent trying to read a secret that should only be used via proxy?)
• Failed proxy attempts to non-allowlisted domains
• Unusual access patterns or frequency spikes

The result: agents operate with the credentials they need, but never possess them. If an agent is compromised, the attacker gets a vault token that only works against specific domains, through a server-side proxy, with every call logged. That's a fundamentally different security posture than a leaked API key.

The Zero-Knowledge Vault shipped in Phase 27. It's available on the SDK via agent.vaultProxy() and through the REST API at /api/vault with action: 'proxy'.