faramesh.devBETA
docsgithubcommunityget started →

docs

Getting Started

Core

FPL

Governance

Operations

Reference

github ↗slack ↗community ↗

10 , credentials

Credential Broker

The credential broker is one of the most important components in Faramesh. It solves a fundamental security problem: AI agents today run with ambient API keys in their environment. An OPENAI_API_KEY, a STRIPE_API_KEY, an AWS_SECRET_ACCESS_KEY , all sitting in environment variables, accessible to any tool call the agent makes, governed by nothing.

Faramesh's credential broker strips these keys from the agent's environment before the agent process starts. The agent never sees the raw credentials. Instead, when the agent makes a tool call that requires a credential, Faramesh evaluates the policy first. If the policy permits the action, the broker issues a short-lived, scoped credential for just that one call. If the policy denies it, the credential is never issued , the agent cannot access it by any other means.

This is not "best effort" credential management. On Linux with faramesh run, the agent process literally does not have the environment variable. It was removed before the process started. The credential exists only in the broker's memory and is injected into the tool call at execution time.

Supported backends

Faramesh integrates with six secret management backends. Each backend is configured via CLI flags or environment variables.

HashiCorp Vault
--vault-addr, --vault-token
KV v2 secrets engine. Supports dynamic secrets and lease management.
AWS Secrets Manager
--aws-secrets-region
AWS-native secret storage. Uses IAM role or access key authentication.
GCP Secret Manager
--gcp-secrets-project
Google Cloud-native secret storage. Uses service account credentials.
Azure Key Vault
--azure-vault-url
Azure-native secret storage. Uses managed identity or service principal.
1Password Connect
env: FARAMESH_CREDENTIAL_1PASSWORD_HOST
1Password Connect API. Self-hosted or cloud deployment.
Infisical
env: FARAMESH_CREDENTIAL_INFISICAL_HOST
Open-source secret management platform.

Register a credential

Bind a credential name to a backend path. Agents reference the name; the broker resolves it at decision time.

bash
faramesh credential register \
  --name stripe-key \
  --backend vault \
  --path secret/data/stripe/api-key

List credentials

Show all registered credential bindings.

bash
faramesh credential list

Rotate a credential

Trigger rotation for a specific credential. The backend handles the actual rotation; Faramesh invalidates the cached value.

bash
faramesh credential rotate --name stripe-key

Health check

Verify connectivity to all configured backends.

bash
faramesh credential health

Ambient credential stripping is automatic with faramesh run. The broker removes matching environment variables from the child process before it starts.

Need help? Use any of these support options.

open an issuejoin slackcommunity/forum
MIT License
docsgithubcommunityget started →