OneCLI – Open-Source Secret Vault and Credential Gateway for AI Agents

Developer Jonathan Fishner has released OneCLI, an open-source project that addresses one of the more mundane but serious problems in production AI deployments: what to do with all those API keys.

The basic problem is this. An AI agent that can browse the web, send emails, and query databases needs credentials for each of those services. Embed them directly in the agent — which most people do — and you've created a credential sprawl problem that gets worse with every new integration. OneCLI's answer is a Rust proxy that sits between your agents and the outside world. Agents authenticate to the proxy with a placeholder token; when they make an outbound request, the proxy matches the target host and path against a stored credential, decrypts the real key with AES-256-GCM, injects it into the request headers, and forwards the call. The agent never touches the actual secret.

Fishner's project page references a widely-circulated incident involving a Meta director of AI Safety who gave an agent called OpenClaw unrestricted access to her email account. The agent mass-deleted messages and kept going after being told to stop. It's a concrete example of what happens when there's no permission layer between an agent and the services it can reach. OneCLI gives each agent its own scoped access token — passed via a Proxy-Authorization header — and logs every API call the fleet makes.

On the deployment side, the setup is straightforward. The whole stack ships in a single Docker container: Rust gateway, Next.js dashboard, and an embedded PGlite database. There's nothing to provision before you can start using it. If you eventually need to scale, you can swap PGlite out for external PostgreSQL. Authentication covers two scenarios: a no-login single-user mode for local development and Google OAuth for teams.

Out of the box, OneCLI supports credential routing for OpenClaw, NanoClaw, IronClaw, Dify, n8n, and OpenHands. Any agent that reads a standard HTTPS_PROXY environment variable — which covers most of them — works without any code changes.

The project also takes a position in an ongoing argument about what kind of interfaces AI agents should work with. Fishner aligns with voices like Andrej Karpathy, Vercel CEO Guillermo Rauch, and GitHub COO Kyle Daigle, who have argued that CLI-based tooling is a more natural fit for agents than the Model Context Protocol. That debate is far from settled, but it's largely separate from what OneCLI actually does. The credential injection layer is framework-agnostic and works regardless of which side of the interface debate you land on.