AVP injects real secrets on the wire so agents never hold them
AVP (Agent Vault Proxy) is an MIT-licensed proxy that gives coding agents placeholder credentials and swaps in real secrets at the network layer, so the agent process itself never holds a live API key.
Score breakdown
AVP removes live API credentials from the agent process entirely, meaning prompt-injection attacks or other exploits that compromise the agent cannot exfiltrate secrets the process never possessed.
- 01AVP is a proxy that replaces placeholder credentials with real secrets at the network layer, so agent processes never hold live API keys.
- 02The agent's environment receives a placeholder value (e.g., `avp-placeholder`) instead of a real credential.
- 03AVP intercepts outbound requests and injects the real secret into the request header just before forwarding upstream.
AVP (Agent Vault Proxy) is a proxy tool that addresses a specific security concern with agentic coding workflows: coding agents typically require real API keys in their environment variables, creating a risk that prompt injection or other exploits could exfiltrate those secrets. The author, who uses Claude Code and Codex daily on personal machines, found the conventional firewall approach inadequate because a firewall still allows the process to hold the secret — it only tries to block exfiltration after the fact.
AVP's approach is to give the agent a placeholder value (e.g., `STRIPE_API_KEY=avp-placeholder`) in its environment.
AVP's approach is to give the agent a placeholder value (e.g., `STRIPE_API_KEY=avp-placeholder`) in its environment. When the agent makes an outbound request using that placeholder, AVP intercepts the request, retrieves the real credential from a vault, and injects it into the request headers on the wire before forwarding to the upstream service. The agent process itself never sees the live secret. AVP initially uses Bitwarden as its secret manager backend. The project is MIT licensed and was posted to Hacker News by the author seeking feedback.
Key facts
- 01AVP is a proxy that replaces placeholder credentials with real secrets at the network layer, so agent processes never hold live API keys.
- 02The agent's environment receives a placeholder value (e.g., `avp-placeholder`) instead of a real credential.
- 03AVP intercepts outbound requests and injects the real secret into the request header just before forwarding upstream.
- 04The author built AVP after finding firewall-based containment unsatisfying, noting firewalls still leave the secret inside the process.
- 05The author runs coding agents including Claude Code and Codex on personal machines.
- 06AVP initially integrates with Bitwarden as its secret manager backend.
- 07The project is MIT licensed and hosted on GitHub under inflightsec/agent-vault-proxy.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 12, 2026 · 10:05 UTC. How this works →