Secrets broker
Hold upstream credentials in a vault and inject them at the proxy so the agent never sees the secret.
An agent often needs a real credential to reach an upstream: a GitHub token, a database password, a vendor API key. The secrets broker holds that credential in a vault and injects it at the proxy boundary, so the agent (and its prompt, and your audit log) never sees the plaintext.
Vault-backed, HTTP-only
Plaintext is stored only in Supabase Vault (encrypted at rest, key held outside the database); the metadata table keeps just the vault reference. Secrets are injected server-side into proxied requests. They never appear in a response, a config-change trail, or an audit log. The broker is an admin, Team/Enterprise feature.
How injection works
Each secret is bound to an MCP server and/or an agent, and declares how it should be applied to outbound requests:
injectionKind | Applied as | bindingKey |
|---|---|---|
http_header | A request header | header name, e.g. X-Api-Key |
bearer | Authorization: Bearer <secret> | not used |
stdio_env | An environment variable on a stdio server | env var name, e.g. UPSTREAM_TOKEN |
query | A query-string parameter | param name |
When a proxied call matches the binding, AxioRank resolves the secret from the vault and injects it. The agent's own API key authorizes the proxy call. The upstream credential is never handed to the agent.
Store a secret
POST /api/broker-secrets (admin). At least one of mcpServerId / agentId is
required, and bindingKey is required unless injectionKind is bearer.
{
"name": "GitHub PAT - deploy bot",
"secret": "ghp_xxxxxxxxxxxxxxxx",
"injectionKind": "http_header",
"bindingKey": "Authorization",
"targetHost": "api.github.com",
"mcpServerId": "8f3c…",
"rotationPolicy": "60d"
}The response echoes only { id, name }, never the secret value.
targetHost(optional) restricts injection to requests bound for that host. If the upstream URL is later edited to a different host, the secret is not injected, which is defense-in-depth against a redirected credential.rotationPolicy:manual(default), or30d/60d/90dfor automatic rotation windows stamped from the last rotation.
Manage
| Endpoint | Does |
|---|---|
GET /api/broker-secrets | List secrets: metadata only, never values. |
POST /api/broker-secrets/{id}/rotate | Overwrite the value in place ({ "secret": "…" }). |
DELETE /api/broker-secrets/{id} | Revoke: hard-deletes the vault entry. |
Next steps
- MCP gateway: the proxy that performs the injection.
- Policies: govern which calls may reach a credentialed upstream.