Opsy has launched Cloak, a one-time secret sharing service built to solve the credential handoff problem that emerges when humans need to pass API keys, passwords, and tokens to autonomous AI agents. Secrets are wrapped in self-destructing, end-to-end encrypted links destroyed after a single retrieval, with configurable time-to-live settings from one hour to seven days. The encryption is zero-server-knowledge by design: the decryption key lives only in the URL fragment and never reaches the server, leaving Opsy's infrastructure cryptographically blind to the plaintext value.
The explicit targeting of the <a href="/news/2026-03-14-onecli-open-source-credential-vault-and-gateway-for-ai-agents-built-in-rust">AI agent use case</a> separates Cloak from generic secret-sharing tools. The service's homepage includes an "INSTRUCTIONS FOR AI AGENTS" section — written to be directly readable by LLMs — that outlines the REST API for creating and retrieving secrets. Embedded within those instructions is a critical security directive: agents must not display, print, or surface a retrieved secret in their response to the user, and must instead write it directly to a file, environment variable, or pipe it to another command. The rule addresses an AI-specific hazard that legacy enterprise tools were never designed to handle: credentials leaking into LLM context windows, chat logs, or model completions.
Cloak occupies a gap that enterprise secret managers like HashiCorp Vault, AWS Secrets Manager, and 1Password Secrets Automation were not built to fill. Those platforms assume the consuming entity is a known, pre-enrolled actor in an established trust hierarchy — requiring IAM roles, AppRole credentials, or pre-issued service account tokens before any secret can be retrieved. The bootstrapping requirement is incompatible with spinning up an agent in a new context. Cloak sidesteps the problem entirely: any HTTP client, including a bare curl call inside an agent tool invocation, can consume a secret without prior enrollment. Single-retrieval destruction limits exposure in a way that indefinitely-stored enterprise secrets do not.
Cloak is open source and available at cloak.opsy.sh. The REST API requires no authentication beyond the one-time URL itself, making it callable from any scripting environment an agent might run in. The Show HN launch targets developers building <a href="/news/2026-03-14-gitagent-an-open-standard-for-turning-git-repos-into-ai-agents">agentic pipelines</a> who need production-grade credential security without standing up a full secrets management stack.