Problem-first guide
Secure API Key Storage for AI Agents
AI agents need continuous access to sensitive credentials, but centralized secrets backends are a frequent attack target. DeadVault stores encrypted API keys as on-chain ciphertext, with all encryption and decryption handled client-side using AES-256-GCM.
Why AI agents leak secrets
- Hardcoded keys in repos or deployment scripts.
- Single compromised backend exposing all credentials at once.
- Inconsistent rotation across multiple bots and environments.
- Weak auditability around who changed what and when.
How DeadVault secures API keys
- Encrypt key material locally with your password-derived key.
- Store only encrypted payloads on-chain through DeadVault.
- Retrieve and decrypt locally when the agent needs credentials.
SDK workflow (quick start)
npm install @deadvault/sdk viem
import { DeadVault } from "@deadvault/sdk";
const vault = new DeadVault({ chain: "base" });
const data = await vault.read({
address: "0xYourAddress",
password: "your-master-password",
walletSignature: "0x...",
});For programmatic write flows, use /api/store to generate transaction calldata and submit with your wallet infrastructure.
Supported chains and cost profile
DeadVault is available on Base, Ethereum, Arbitrum, and Optimism. Typical write pricing is around $0.05 (native) or around $0.02 (DEAD token), while reads are free.
FAQ
Can I rotate keys without downtime?
Yes. Update vault entries and switch agent reads to the new entry in your rollout process.
Do you store plaintext secrets?
No. The contract stores opaque encrypted bytes only.
Is this only for AI agents?
No. It also works for backend services, trading bots, and Web3 teams.