The local vault
for AI agents.
Akasha intercepts sensitive data in agent tool calls and replaces it with
vault:// tokens. Secrets stay on your machine —
encrypted, post-quantum, fully audited.
$ akasha setup
Scanning for credentials...
✓ AWS default profile → vaulted
✓ AWS pk-website profile → vaulted
✓ SSH key id_ed25519 → vaulted
✓ Git token (gh) → vaulted
Key wrapped with ML-KEM-768 → OS keychain
Claude Code ready — restart it.Why Akasha
Secrets stay home.
Agents get tokens.
There is no unsafe way to use a credential the agent never holds.
Nothing leaves the machine
The vault is a local SQLite file encrypted with XChaCha20-Poly1305. The key lives in your OS keychain — never on disk, never in the cloud.
Credentials agents never hold
vault_assume hands the agent a short-lived, RAM-backed file handle — 1 hour TTL, mode 0600, gone on reboot. The raw secret is never in the context window.
MCP-native, zero code
One command writes the MCP config. Claude Code, Codex and Cursor get vault_assume, vault_wrap and friends as native tools.
Every touch audited
Each wrap, retrieve and assume is logged with the tool, task, and the agent's reasoning trace — a forensic trail of everything agents touched.
Beneath the MCP stack
akasha exec injects vaulted credentials into other MCP servers at launch — your GitHub or Postgres server never holds a plaintext token in its config.
Cross-agent grants
Delegate over A2A without leaking: only tokens travel the wire, and grants are single-use, tool-restricted, and expire in minutes.
Integrate
Two lines from any agent.
Zero from Claude Code.
# The agent asks for AWS — and never sees the secret
vault_assume(provider="aws", profile="default")
→ {
"env": {
"AWS_SHARED_CREDENTIALS_FILE": "…/sessions/aws-default.creds", # RAM-backed
"AWS_PROFILE": "default"
},
"expires_at": "2026-06-11T15:02:11Z" # 1h TTL, audited
}from akasha import Akasha
vault = Akasha(agent_id="support-bot-v2", api_key="agt_…")
# Scan content before it reaches a tool or the LLM
result = vault.wrap("send_email", "card 4111111111111111")
# result.clean_content → "card vault://e4f5g6h7"
# Retrieve safely — zeroed after the block, tool enforced
with vault.use(result.token, tool="stripe_charge") as secret:
stripe.charge(secret.value)# Store anything discovery didn't find
$ akasha put env:stripe STRIPE_API_KEY
# Run any process with vaulted credentials injected
$ akasha exec --assume aws:default -- aws s3 ls
$ akasha exec --assume env:stripe -- ./charge.sh
# Tail the audit log
$ akasha logsBe the vault the other MCP servers run on
MCP servers can't see each other's traffic — but they all need credentials. Akasha sits beneath the stack: it supplies their secrets at launch and records who assumed what, so nothing sits in plaintext in your config.
// Instead of a hardcoded token in your MCP config:
"github": {
"command": "akasha",
"args": ["exec", "--assume", "github:default",
"--", "github-mcp-server"]
}Provenance
Know why, not just what.
Every audit entry captures the agent's task and reasoning — not just the access.
{
"token": "vault://abc12345",
"action": "VAULTED",
"category": "CreditCard",
"risk": "critical",
"agent_id": "support-bot-v2",
"tool_name": "send_email",
"task": "Process refund for order #8821",
"reasoning_trace": "User requested refund. Order verified. Initiating.",
"triggered_by": "user message: 'I want my money back'"
}Detection
Caught before it leaks.
Built-in patterns out of the box. Add your own in ~/.akasha/patterns.yaml.
| Category | Sample match | Risk |
|---|---|---|
| SSN | 429-21-0001 | critical |
| Credit card | 4111111111111111 | critical |
| API key (AWS) | AKIA… | critical |
| API key / password | sk-… / password: … | high |
| PII (email, phone) | user@example.com | medium |
| Risky tool watchlist | send_email, charge_card, … | varies |
Security