Skip to main content
OneCLI is an open-source secret vault for AI agents. Store credentials once, inject them anywhere. Your agents never see the keys. Under the hood, OneCLI runs a transparent MITM proxy that intercepts outgoing HTTP requests, injects credentials from an encrypted vault, and routes them to the right service. No code changes needed. Manage everything from the web dashboard.

How it works

onecli: transparent proxy

Run onecli as a Docker container. Point your agent’s HTTP traffic through it. onecli intercepts requests, injects stored credentials, and forwards them to the target service. Your agent code doesn’t change at all.
docker run --pull always -p 10254:10254 -p 10255:10255 -v onecli-data:/app/data ghcr.io/onecli/onecli
The encrypted vault stores all credentials with AES-256-GCM encryption. Credential resolution happens automatically: credentials are pulled from the vault and injected at runtime. Nothing is stored in plain text. The web dashboard lets you manage agents, secrets, and permissions from one place.

Get started

Quickstart

Set up onecli and connect your first service in minutes.

How it works

Platform architecture: proxy, vault, dashboard, and how the pieces fit together.

SDKs

Language SDKs for integrating with OneCLI programmatically.

Why we built this

skill + cli > mcp. The philosophy behind OneCLI.