I'm working on a project called Piper to tackle the challenge of securely providing API keys to agents, scripts, and MCPs. Think of it like a password manager, but for your API keys.
Instead of embedding raw keys or asking users to paste them everywhere, Piper uses a centralized model.
You add your keys to Piper once.
When an app (that supports Piper) needs a key, Piper asks you for permission.
It then gives the app an sts token, not your actual key.
You can see all permissions on a dashboard and turn them off with a click.
The idea is to give users back control without crippling their AI tools.
Instead of embedding raw keys or asking users to paste them everywhere, Piper uses a centralized model.
You add your keys to Piper once.
When an app (that supports Piper) needs a key, Piper asks you for permission.
It then gives the app an sts token, not your actual key.
You can see all permissions on a dashboard and turn them off with a click.
The idea is to give users back control without crippling their AI tools.
I'm also building out a Python SDK (pyper-sdk) "https://github.com/greylab0/piper-python-sdk" to make this easy for devs.
Developers register their agents and define "variable names" (e.g., open_api_key)
The agent uses the SDK which vends a short-lived token that the agent can use to access the specific user secret.
Also incliudes environment variable fallback in case the agent's user prefers not to use Piper.
This gives agents temporary, scoped access without them ever handling the user's raw long-lived secrets.