oc

Give your agents access,
not your secrets.

Open-source credential vault. Your agents call services and never see a key.

Get Started

Rules agents can't break

Prompts are suggestions. OneCLI policies are enforced at the network layer, outside the agent, outside the LLM. No matter what the model decides, the proxy enforces your rules deterministically.

Block endpoints

Prevent agents from calling specific APIs (DELETE /repos, POST /payments, or any path you define). Enforced at the proxy, not a suggestion.

Rate limit per agent

Cap how many requests an agent can make per minute, hour, or day. Stop runaway loops before they cause damage.

Require approval

Flag sensitive operations for human review before they go through. Agents wait, you decide.

Scope per project

Each agent only accesses the credentials and services assigned to its project. No cross-project leakage.

Get StartedRead the Docs
API keys scattered everywhere.One encrypted vault.
Agent sees raw keys.Agent never sees a key.
Revoking access means hunting down keys.Revoke once, everywhere.
Agent has unrestricted access.Block endpoints or rate-limit per agent.

Drop-in security for any agent

One command. Zero code changes. Your agents stay secure.

OpenClawNanoClawIronClawDifyn8nOpenHands+ any framework
OneCLI architecture showing agents connecting through the OneCLI proxy to external services
Without OneCLI+ OneCLI
Secret handlingLLM sees raw API keysEncrypted vault,
agent never sees keys
SetupHardcode keys or env varsdocker run ghcr.io/onecli/onecli

It happened to her.

It won't happen to you.

N
NIK
@ns123abc

META's head of AI safety and alignment gets her emails nuked by OpenClaw

>be director of AI Safety and Alignment at Meta

>install OpenClaw

>give it unrestricted access to personal emails

>it starts nuking emails

>"Do not do that"

>*keeps going*

>"Stop don't do anything"

>*gets all remaining old stuff and nukes it aswell*

>"STOP OPENCLAW"

>"I asked you to not do that"

>"do you remember that?"

>"Yes I remember. And I violated it."

>"You're right to be upset"

Summer YueOpenClaw chat log showing the agent deleting emails while ignoring stop commandsSummer Yue X profile showing her role at Meta
2.8M views29K likes3.3K retweets

With OneCLI, agents call APIs through a gateway that injects credentials at the network layer. They never see a key, and you control exactly what they can access.

What teams build with OneCLI

Coding Agents

Your Cursor or Claude agent pushes to GitHub, creates Jira tickets, and deploys to Vercel, all through OneCLI's gateway. Credentials injected, never exposed.

GitHubJiraVercelLinear

Autonomous Workflows

n8n, Dify, or custom pipelines call Slack, Google Calendar, and Stripe APIs. OneCLI injects OAuth tokens per-request. Revoke access instantly.

SlackGoogle CalendarStripeGmail

Team Governance

10 agents across 3 projects. Rate limits on the Slack API, approval rules for payment endpoints, full audit logs. One dashboard.

Multi-agentRate limitsApprovalsAudit logs

Security & Compliance

Show exactly which agent called which API, when, and what credentials were used. No keys in logs, no keys in prompts.

SOC 2Audit trailRevocationZero-trust
Get StartedRead the Docs

How it works

What you get

Zero code changes

Set HTTPS_PROXY and your agent's existing HTTP calls get credentials injected. No SDK, no wrapper.

Encrypted vault

Credentials stored in local KMS or OneCLI Cloud. Never written to disk in plain text.

Full audit trail

See every API call, which agent made it, and when.

One Docker container

Proxy, vault, and dashboard all run from a single docker run command.

Start securing your agents today

Free forever for up to 2 agents.

No credit card required.

Get StartedRead the Docs