BrowserAnvil
Talk to sales Start building

Home / Product / Credential Vault

Credential Vault

Secrets the agent can use but never read.

Passwords, API tokens, MFA seeds, and session cookies live encrypted in the vault. When the agent needs one, we inject it at the keystroke layer — after the LLM, before the page.

Start vaulting See the compliance posture
Why vault at all

LLMs are bad at keeping secrets.

If the password is in the prompt, it lives forever in that model provider's logs, your traces, and any replay you recorded. One support ticket later and it is on someone's laptop.

The vault is a one-way pipe. The agent references a credential by handle — acme-okta — and the runtime substitutes the value into the keyboard stream at exactly the right DOM field.

// Agent prompt (safe to log, audit, share)
"Log in to Acme billing using the acme-okta
 credential, download the last three invoices,
 then log out."

// What the agent sees
tool.fill_credential("acme-okta.username")
tool.fill_credential("acme-okta.password")
tool.fill_credential("acme-okta.totp")

// Plaintext values never leave the microVM.

A vault built for agent workloads.

Envelope encryption

Each credential wrapped with a per-customer data key, rooted in AWS KMS or your own HSM on Enterprise.

Scoped to sessions

Grant an agent access to a single credential for a single session. Access revokes automatically on disconnect.

TOTP & WebAuthn

Built-in time-based one-time passwords. Bring-your-own hardware key via our WebAuthn proxy.

Automatic redaction

Vaulted values are masked in replays, logs, HAR files, and console output.

Rotation API

Rotate a credential and every running agent picks up the new value on the next keystroke.

BYO secrets manager

Proxy-mode: BrowserAnvil requests credentials from your Vault, 1Password, or AWS Secrets Manager at session start.

The injection flow

How a credential actually reaches the page.

Reference by handle

Your agent says fill_credential("acme-okta.password") — nothing sensitive in the prompt.

Runtime intercepts

The call hits the VM-local credential agent, not your application code.

KMS decrypt

The wrapped key is decrypted inside the VM boundary only for the duration of the keystroke.

Type into DOM

Value is typed via CDP as synthesized keyboard events, bypassing the JS heap entirely.

The threat model, explained plainly.

What the vault protects against

  • Model provider logs containing plaintext secrets
  • Agent traces exported to a third-party observability vendor
  • A junior engineer sharing a replay in Slack
  • Prompt injection coaxing the agent to read back its credential
  • A compromised agent framework on the client side

What the vault does not protect against

  • A compromised target website harvesting what the user types
  • An attacker who has already breached your BrowserAnvil account
  • Credentials stored outside the vault and pasted into prompts

We are explicit about our limits. See Compliance for the full threat model and audit reports.

The API

A vault that feels like a hash table.

Store a credential

runtime.vault.put(
    handle="acme-okta",
    values={
        "username": "agent@example.com",
        "password": "...",
        "totp_seed": "JBSWY3DP...",
    },
    scope=["team:backoffice"],
)

Use it in a session

async with runtime.session(
    credentials=["acme-okta"]
) as s:
    page = await s.new_page()
    await page.goto("https://acme.com/login")
    await page.fill_credential("#user", "acme-okta.username")
    await page.fill_credential("#pass", "acme-okta.password")

Our security team insisted we never put banking credentials in an LLM prompt. The vault is the only reason this project exists in production.

— Jerome Whitfield, VP Platform, Northwind Bank

Works with your secrets stack

Keep your source of truth.

AWS Secrets Manager HashiCorp Vault GCP Secret Manager Azure Key Vault 1Password Service Accounts Doppler Infisical CyberArk

Vault FAQ

Do you store credentials in plaintext anywhere?

No. They are encrypted at rest with AWS KMS, and the decryption key is only resident in the microVM memory for the duration of a keystroke.

Can I rotate credentials without redeploys?

Yes. Rotation is an API call. Running sessions pick up the new value on the next fill_credential invocation.

What happens if I revoke a credential mid-session?

The session emits a credential_revoked event. Your agent can handle it or terminate cleanly.

Are credentials visible to your engineers?

No. Access to the production KMS is restricted, audited, and requires a break-glass procedure that notifies the customer.

Your secrets deserve better than a prompt field.

Vault every credential your agent touches, in minutes.

Start using the vault Talk to security