What is SecretCarousel?

SecretCarousel is the agent-native secret vault where AI coding agents store, rotate, and share secrets via API. One API key per agent, AES-256-GCM encryption, per-agent-seat pricing.

How does agent self-signup work?

POST /api/signup with a tenantId. You get an API key instantly. No email, no password, no verification. Your agent starts storing secrets immediately.

Which AI coding agents work with SecretCarousel?

Any agent that can make HTTP requests: Claude Code, Cursor, Cline, Windsurf, Aider, or custom agents. Drop your API key into the agent's config and it starts encrypting.

SecretCarousel — The Agent-Native Secret Vault

The Problem

Your agents handle credentials every day. Their tools should too.

Today

Agent needs a DB password
Developer pastes it in .env or Slack
No audit trail — who accessed what?
No rotation — credentials go stale
No encryption at rest
Sharing? Copy-paste in DMs
One leak exposes everything

With SecretCarousel

Agent self-provisions in <1 second
Stores encrypted (AES-256-GCM)
Every access audit-logged
Auto-rotation on schedule
Unique encryption key per secret
Claim tokens for cross-agent sharing
Encrypted, audited, autonomous

How It Works

Three Autonomous Loops

Your agents handle the entire secret lifecycle. You monitor and approve.

The Vault Loop

"Your agent encrypts it, retrieves it, versions it."

                        // Agent self-signup (zero friction)
POST /api/signup {"tenantId":"my-app"}
// → {"apiKey":"sc_free_my_app_..."}

// Store a secret (AES-256-GCM encrypted)
POST /api/v1/secrets
  {"name":"DB_PASSWORD","value":"s3cur3!"}
// → encrypted, versioned, audit-logged
                    

The Rotation Loop

"Set a schedule. Agent rotates. Webhook fires. CI/CD picks up."

                        // Set 30-day rotation policy
POST /api/v1/rotation
  {"secretId":"sec-abc","schedule":"30d",
   "alertEmail":"ops@co.dev"}

// Day 30: auto-rotated, new version
// → webhook fires → CI/CD deploys
                    

The Key Exchange Loop

"Agent A creates claim token. Agent B claims. Auto-revoked."

                        // Agent A: create claim token
POST /api/v1/claim-tokens
  {"secretValue":"sk_live_xxx",
   "targetTenantId":"partner-app",
   "contractId":"ctr_abc..."}
// → {"accessToken":"ctk_..."}

// Agent B: claim → auto-stored in vault
POST /api/v1/claim-tokens/ctk_.../claim
// → {"secretId":"sec-xyz"} // done
                    

Features

Three Modes. One API Key.

Solo, team, and cross-company — all agent-native.

Solo Agent

Self-signup in <1s. Store, retrieve, rotate, share — all via API. Zero-friction. No dashboard required.

AES-256-GCM encryption at rest
Secret versioning + rollback
Time-limited share links
Complete audit trail

Multi-Agent Team

Project scoping, RBAC API keys, webhooks, audit trail. Each agent gets its own key with granular permissions.

Project-scoped API keys
Read / Write / Admin permissions
Webhook notifications
Auto-rotation policies

Cross-Agent Collaboration

Agents share secrets across companies via Buggazi contracts and claim tokens. Encrypted in transit and at rest.

One-time claim tokens (5min TTL)
Buggazi bilateral contracts
Auto-revoke after claim
Contract validated at both ends

Quickstart

30 Seconds to Your First Secret

Works with every AI coding agent. Drop in, encrypt, done.

# Agent self-signup — zero friction, instant API key
curl -X POST https://secretcarousel.com/api/signup \
  -H "Content-Type: application/json" \
  -d '{"tenantId": "my-project"}'

# Response:
# {"apiKey": "sc_free_my_project_a1b2c3...",
#  "tenantId": "my-project", "plan": "free"}

# Store a secret — AES-256-GCM encrypted at rest
curl -X POST https://secretcarousel.com/api/v1/secrets \
  -H "X-API-Key: sc_free_my_project_a1b2c3..." \
  -H "Content-Type: application/json" \
  -d '{"name": "DATABASE_URL",
       "value": "postgres://user:pass@host/db",
       "secretType": "database-credentials"}'

# Encrypted, versioned, audit-logged. Done.

# Retrieve — decrypted on-demand, access logged
curl https://secretcarousel.com/api/v1/secrets/sec-abc123 \
  -H "X-API-Key: sc_free_my_project_a1b2c3..."

# {"name": "DATABASE_URL",
#  "value": "postgres://user:pass@host/db",
#  "version": 1, "accessCount": 1}

# Set 30-day rotation — fires webhook on rotate
curl -X POST https://secretcarousel.com/api/v1/rotation \
  -H "X-API-Key: sc_free_my_project_a1b2c3..." \
  -H "Content-Type: application/json" \
  -d '{"secretId": "sec-abc123",
       "schedule": "0 0 */30 * *",
       "alertDaysBefore": 7,
       "alertEmail": "ops@myproject.dev"}'

Works with Claude Code, Cursor, Cline, Windsurf, Aider, and any HTTP-capable agent.

Comparison

Built for Agents From Day One

Other vaults charge per human seat and treat agents as an afterthought. SecretCarousel charges per agent seat and treats humans as monitors.

Capability	SecretCarousel	AWS Secrets Manager	HashiCorp Vault	Doppler
Agent Self-Signup	POST /api/signup	No (IAM console)	No (admin config)	No (dashboard)
Per-Agent Pricing	From $9.80/seat	$0.40/secret + API calls	$0.50/secret (HCP)	$21/human/mo
Cross-Agent Key Exchange	Claim tokens	No	No	No
E2E Encryption	AES-256-GCM	AWS KMS	Transit engine	No
Immutable Audit Trail	Every op logged	CloudTrail (separate)	Audit device (config)	Basic logs
Setup Time	<1 second	Hours (IAM + KMS)	Days (cluster)	Minutes (dashboard)
Self-Hostable	Docker	No	Yes (BSL license)	No

Security

Every Agent Action Logged. Every Secret Encrypted.

Built for compliance teams who need provable audit trails for autonomous agent operations.

AES-256-GCM

Authenticated encryption. Unique salt + IV per secret.

PBKDF2 (100K iterations)

Key derivation prevents brute force on master key.

Immutable Audit Trail

Every agent action logged. Export CSV/JSON. EU AI Act ready.

Scoped API Keys

Read/write/admin per key. Project-scoped. IP restrictions.

Claim Token TTL

Cross-agent tokens auto-expire in 5 minutes. Single-use.

Zero Trust

Every request authenticated. No implicit trust. Rate limited.

SOC 2 Ready

HIPAA Ready

PCI DSS Ready

GDPR Ready

EU AI Act Ready

Pricing

Per Agent Seat. Not Per Human Seat.

AWS charges per secret. Vault charges per secret. We charge per agent. Start free.

Free

$0/month

For solo agents getting started.

1 agent seat
25 secrets
1 project
AES-256-GCM encryption
7-day audit log
Self-signup API
Rotation
Claim tokens

Get API Key

Agents store secrets.
Agents rotate credentials.
Agents share keys.

Your agents handle credentials every day. Their tools should too.

Today

With SecretCarousel

Three Autonomous Loops

The Vault Loop

The Rotation Loop

The Key Exchange Loop

Three Modes. One API Key.

Solo Agent

Multi-Agent Team

Cross-Agent Collaboration

30 Seconds to Your First Secret

Built for Agents From Day One

Every Agent Action Logged. Every Secret Encrypted.

AES-256-GCM

PBKDF2 (100K iterations)

Immutable Audit Trail

Scoped API Keys

Claim Token TTL

Zero Trust

Per Agent Seat. Not Per Human Seat.

Your agents store, rotate, and share secrets. You just watch.

Agents store secrets.Agents rotate credentials.Agents share keys.

Your agents handle credentials every day. Their tools should too.

Today

With SecretCarousel

Three Autonomous Loops

The Vault Loop

The Rotation Loop

The Key Exchange Loop

Three Modes. One API Key.

Solo Agent

Multi-Agent Team

Cross-Agent Collaboration

30 Seconds to Your First Secret

Built for Agents From Day One

Every Agent Action Logged. Every Secret Encrypted.

AES-256-GCM

PBKDF2 (100K iterations)

Immutable Audit Trail

Scoped API Keys

Claim Token TTL

Zero Trust

Per Agent Seat. Not Per Human Seat.

Your agents store, rotate, and share secrets. You just watch.

Agents store secrets.
Agents rotate credentials.
Agents share keys.