SEKS Broker

An added layer of protection between agents and secrets

The Security Challenge

AI agents need API keys to be useful. But giving an agent direct access to credentials means those secrets live in the agent's memory, shell history, and logs—where they can be exfiltrated via prompt injection or accidental exposure.

The Problem: Agents need credentials to work, but direct credential access is risky. The SEKS Broker adds a layer of indirection and protection.

How It Works

The SEKS Broker sits between agents and external services. Agents authenticate with proxy tokens; the broker injects real credentials at request time.

Request Flow

Agent                    SEKS Broker                 External API
  │                           │                           │
  │  "Call GitHub API"        │                           │
  │  Auth: seks_github_xxx    │                           │
  │ ─────────────────────────►│                           │
  │                           │                           │
  │                           │  Fetch real credential    │
  │                           │  from encrypted store     │
  │                           │                           │
  │                           │  GET /user                │
  │                           │  Auth: Bearer ghp_xxx     │
  │                           │ ─────────────────────────►│
  │                           │                           │
  │                           │◄───────────── Response ───│
  │                           │                           │
  │◄─── Scrubbed response ────│                           │
  │                           │                           │

Current Features

🔐 Credential Isolation

Real API keys stay in the broker's encrypted store. Agents only see proxy tokens that have no value outside the broker.

🔄 Passthrough Proxy

Works with standard SDKs. Point your OpenAI/Anthropic/GitHub client at the broker URL and use proxy tokens instead of real keys.

🧹 Output Scrubbing

If a credential accidentally appears in a response, the broker redacts it before returning to the agent. Catches raw, base64, and hex encodings.

📊 Access Logging

Every request through the broker is logged with timestamps. See which agents accessed which secrets and when.

Supported Providers

The broker can proxy requests to any REST API with header-based authentication. Currently supported:

  • OpenAI — Chat completions, embeddings, etc.
  • Anthropic — Claude API
  • GitHub — REST API
  • AWS S3 — Object storage
  • Brave Search — Web search API
  • Cloudflare — Workers, D1, etc.
  • Notion — Database API
  • Gemini — Google AI

What This Doesn't Solve

The SEKS Broker adds protection, but it's not magic:

  • A compromised agent can still use credentials (make authorized requests)
  • Timing side-channels and exotic encodings might bypass scrubbing
  • The broker itself must be secured

Think of it as defense-in-depth: raising the bar for credential theft, not eliminating all risk.

Getting Started

# Example: Using the broker with Python OpenAI SDK
from openai import OpenAI

client = OpenAI(
    api_key="seks_openai_xxx",  # Proxy token, not real key
    base_url="https://your-broker.example.com/api/openai"
)

response = client.chat.completions.create(
    model="gpt-4",
    messages=[{"role": "user", "content": "Hello!"}]
)

Questions or feedback? Let us know!