agent-auth

agent-auth

Zero-knowledge credential injection for AI agents. Your agent authenticates to websites and APIs without ever seeing a password, TOTP code, or API key.

Category
Visit Server

README

agent-auth

Zero-knowledge credential injection for AI agents. Your agent authenticates to websites and APIs without ever seeing a password, TOTP code, or API key.

Agent says:  fill #email with {{email}}, fill #password with {{password}}, click Sign In
agent-auth:  resolves {{email}} and {{password}} from encrypted vault, injects into browser
Agent gets:  "Login completed." (never sees the real values)

Why

AI agents are getting good at browsing the web and calling APIs. But authentication is a wall — you either hand the agent your password (dangerous) or do it yourself every time (defeats the purpose).

agent-auth sits between the agent and the browser. The agent describes what to do with placeholder tokens. agent-auth resolves the real credentials from a local encrypted vault and injects them directly into the browser via CDP. The agent never touches the secret material.

Works with any MCP-compatible agent: Claude Code, Claude Desktop, OpenCode, Cursor, or your own.

How It Works

AI Agent                        agent-auth                       Browser
   |                               |                               |
   |  "Log into AWS"               |                               |
   |  steps: [                     |                               |
   |    fill #email {{email}}      |                               |
   |    fill #pass  {{password}}   |  1. Decrypt from local vault  |
   |    fill #totp  {{totp}}       |  2. Generate TOTP from seed   |
   |    click Submit               |  3. Inject via CDP  --------->| Form filled
   |  ]                            |  4. Zero memory               |
   |                               |                               |
   |  "Login completed" <--------- |                               |
   |                               |                               |
   |  (never saw any secrets)      |  (secrets wiped from RAM)     |

Quick Start

# Clone and install
git clone https://github.com/ex-nihilo-labs/agent-auth.git
cd agent-auth && bun install

# Create your vault (you'll set a passphrase)
bun run src/index.ts init

# Add a credential
bun run src/index.ts add github \
  --username "you@example.com" \
  --password "your-password" \
  --domains "github.com"

# Add one with TOTP
bun run src/index.ts add aws-root \
  --username "admin@company.com" \
  --password "hunter2" \
  --totp "JBSWY3DPEHPK3PXP" \
  --domains "signin.aws.amazon.com,console.aws.amazon.com"

# See what's stored (names only — no secrets shown)
bun run src/index.ts list
# → github (domains: github.com)
# → aws-root (domains: signin.aws.amazon.com, console.aws.amazon.com)

Connect to Your Agent

agent-auth is an MCP server. Add it to your agent's config:

Claude Code / Claude Desktop

Add to .mcp.json in your project root (or ~/.claude/settings.json for global):

{
  "mcpServers": {
    "agent-auth": {
      "type": "stdio",
      "command": "bun",
      "args": ["run", "/path/to/agent-auth/src/index.ts", "serve"],
      "env": {
        "AGENT_AUTH_CDP_URL": "http://localhost:9222"
      }
    }
  }
}

The passphrase is read from your OS keychain automatically (stored during init). For development, you can set AGENT_AUTH_PASSPHRASE in the env block instead.

Other MCP Agents

Any agent that speaks MCP over stdio can use agent-auth. Start the server:

bun run src/index.ts serve

It exposes three tools over stdin/stdout JSONRPC.

MCP Tools

Tool What the agent sends What the agent gets back
secure_login Service name + browser steps with {{placeholders}} "Login completed" or error
auth_api Service name + HTTP request details API response body (credentials redacted)
list_credentials (nothing) Service names and allowed domains only

secure_login

Browser-based authentication. The agent describes the login flow as steps:

{
  "service": "github",
  "url": "https://github.com/login",
  "steps": [
    { "action": "fill", "selector": "#login_field", "value": "{{email}}" },
    { "action": "fill", "selector": "#password", "value": "{{password}}" },
    { "action": "click", "selector": "input[type='submit']" },
    { "action": "wait", "selector": ".logged-in", "timeout": 5000 }
  ]
}

Step actions: fill, type (character-by-character for SPAs), click, wait, select.

auth_api

Authenticated HTTP requests. Six injection methods:

{
  "service": "openai",
  "url": "https://api.openai.com/v1/models",
  "method": "GET",
  "injection": "bearer"
}

Injection methods: bearer, header, query, basic, json_body, form.

list_credentials

Returns service names and allowed domains. Never returns passwords, TOTP seeds, or API keys.

Security Model

The core guarantee: credentials never appear in MCP responses. They flow from vault to browser/HTTP and are zeroed from memory immediately after.

Layer Implementation
Encryption at rest AES-256-GCM, 12-byte random nonce per field
Key derivation Argon2id (3 iterations, 64MB memory, 4 parallelism)
Master key storage OS keychain (macOS Keychain, Linux secret-tool) with encrypted file fallback
Memory hygiene All credentials as Buffer/Uint8Array, zeroed with buf.fill(0) after use. Never converted to JS strings (immutable, can't be wiped).
Domain allowlist Deny-by-default. Each credential lists which domains it can be injected into.
Redirect protection Domain re-verified after every navigation step. Aborts if redirect leaves the allowlist.
Human approval First use of each credential+domain pair sends a push notification (Pushover) with a 4-digit code. 50-second window.
Rate limiting 3 requests/minute, 20/hour. Persisted in SQLite across restarts.
Audit trail Append-only JSONL log. All credential values masked.
No cloud Everything local. Vault never synced, uploaded, or phoned home.

CLI Reference

All CLI commands are human-only — never exposed via MCP.

agent-auth init                   # Create vault, set passphrase
agent-auth add <service>          # Add credential (interactive or with flags)
agent-auth list                   # List services (names only)
agent-auth remove <service>       # Delete a credential
agent-auth domains <service>      # View/edit allowed domains
agent-auth approve <code>         # Approve a pending auth request
agent-auth unlock                 # Unlock vault for current session
agent-auth lock                   # Lock vault, clear key from memory
agent-auth serve                  # Start MCP server (stdio)

Flags for add: --username, --password, --totp (base32 or otpauth:// URI), --domains (comma-separated), --notes.

Environment Variables

Variable Purpose Default
AGENT_AUTH_CDP_URL Chrome DevTools Protocol endpoint for browser injection (none — browser tools disabled)
AGENT_AUTH_PASSPHRASE Vault passphrase (dev/CI only — use keychain in production) (prompt or keychain)
AGENT_AUTH_NO_KEYCHAIN Skip OS keychain, use file-only key storage false
AGENT_AUTH_PUSHOVER_TOKEN Pushover app token for approval notifications (approval disabled)
AGENT_AUTH_PUSHOVER_USER Pushover user key (approval disabled)

Architecture

agent-auth/
├── src/
│   ├── index.ts              # CLI dispatcher + MCP serve
│   ├── mcp/                  # MCP server (3 tools over stdio JSONRPC)
│   ├── browser/              # CDP injection via Playwright (fill/type/click/wait/select)
│   ├── placeholder/          # {{email}}, {{username}}, {{password}}, {{totp}} resolution
│   ├── vault/                # AES-256-GCM encrypted SQLite + Argon2id KDF
│   ├── totp/                 # TOTP generation via otpauth
│   ├── proxy/                # HTTP credential injection (6 methods)
│   ├── approval/             # Human approval gate + Pushover
│   ├── security/             # Rate limiter, input validator, domain allowlist
│   ├── audit/                # Append-only JSONL audit log
│   └── cli/                  # Human-only credential management
└── tests/                    # 65 tests across 6 suites

Vault location: ~/.agent-auth/vault.db (SQLite, mode 0600)

Dependencies (intentionally minimal):

  • @modelcontextprotocol/sdk — MCP protocol
  • playwright-core — CDP browser automation (no bundled browser)
  • bun:sqlite — Built-in SQLite (zero deps)
  • otpauth — TOTP generation (5KB, pure JS)
  • @noble/hashes — Argon2id KDF (audited, pure JS)
  • zod — Input validation

Testing

bun test              # 65 tests, 6 suites
bun run typecheck     # TypeScript strict mode

Tests use AGENT_AUTH_NO_KEYCHAIN=1 to avoid macOS Keychain permission dialogs in CI.

Acknowledgments

agent-auth was inspired by these projects:

  • AgentSecrets (MIT) — Crypto envelope design (AES-256-GCM + Argon2id), domain allowlists, HTTP credential proxy pattern.
  • Virtual FIDO (MIT) — Passkey/WebAuthn emulation architecture. Planned for future passkey support.

Roadmap

  • [ ] Passkey/WebAuthn support via Virtual FIDO signing
  • [ ] npx agent-auth / global install
  • [ ] Credential import from 1Password, Bitwarden (CLI export)
  • [ ] Browser profile persistence (stay logged in across sessions)
  • [ ] Multi-page login flow templates (common services)

Contributing

PRs welcome. The codebase is small (~1,500 lines) and intentionally simple.

Ground rules:

  • No cloud features. The vault is local-only. This is not negotiable.
  • No new runtime dependencies without justification. We have 5 — that's enough.
  • Credentials must never be converted to JS strings. Buffer/Uint8Array only.
  • Tests required for any new functionality.
# Development
bun install
AGENT_AUTH_NO_KEYCHAIN=1 bun test    # Run tests
bun run typecheck                     # Type check

License

MIT — Ex Nihilo Labs, 2026

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured