DISCOVER THE FUTURE OF AI AGENTS
Agent Park
BACK TO PROJECTS

OneCLI

Added May 4, 2026
Agent & Tooling
Open Source
RustNext.jsModel Context ProtocolAI AgentsWeb ApplicationCLIAgent & ToolingProtocol, API & IntegrationSecurity & Privacy

The open-source secret vault and secure gateway for AI agents, enabling transparent interception and zero-touch key injection.

Overview#

OneCLI is an open-source secret vault and secure gateway designed for AI agents. Its core philosophy is "Store once. Inject anywhere. Agents never see the keys." When multiple AI agents need to call dozens of external APIs, the traditional approach of hardcoding API keys poses significant leakage risks. OneCLI solves this through transparent interception.

Core Capabilities#

Transparent Credential Injection#

Agents send normal HTTP requests containing placeholders (e.g., FAKE_KEY), and the Rust gateway automatically intercepts and replaces them with real keys (REAL_KEY). Agents never touch the real keys. Supports injection into HTTP headers and URL query parameters, as well as WebSocket connections.

Credential Security & Storage#

Uses AES-256-GCM encryption for static key storage, with real-time decryption only during request processing. The Rust gateway supports MITM interception for handling encrypted HTTPS traffic.

Routing & Matching#

Routes credentials to the correct API endpoints based on target hostname and path patterns.

Multi-tenant & Access Control#

  • Each agent has independent access tokens and scoped permissions
  • Dual auth modes: single-user mode (local, no login) and Google OAuth (team use)
  • Audit logging for sensitive operations

External Integrations#

  • Bitwarden Vault: Connect to Bitwarden password manager for on-demand credential retrieval without persistent server-side storage
  • OAuth Flow Integration: Gateway automatically handles App Connection and OAuth flows with credential injection (Google Calendar, YouTube, OpenAI integrations visible in code)

Architecture#

AI Agent ──HTTP Request(FAKE_KEY)──▶ Rust Gateway (:10255) ──Credential Replace──▶ External API
                                        │
                                        ▼
                                  Web Dashboard (:10254)
                                  (Next.js + Prisma + PostgreSQL)
                                        │
                                        ▲
                                  Bitwarden Vault (optional)

Core Modules#

  • Rust Gateway (apps/gateway/): High-performance, memory-safe HTTP gateway for request interception and credential injection
  • Web Dashboard (apps/web/): Next.js-based management UI and internal API for agent, key mapping, and permission management
  • Secret Store (packages/db/): Prisma + PostgreSQL storage layer handling AES-256-GCM encryption/decryption and matching logic
  • Shared UI (packages/ui/): Shared component library based on shadcn/ui

Engineering#

  • Monorepo build with pnpm workspace + Turborepo
  • Tool version management via mise
  • Code quality with Husky Git Hooks + Prettier, CI/CD via GitHub Actions

Installation#

One-line Install (Recommended)#

curl -fsSL https://onecli.sh/install | sh

Docker Deployment#

git clone https://github.com/onecli/onecli.git
cd onecli
docker compose -f docker/docker-compose.yml up -d --wait

After deployment:

  • Web Dashboard: http://localhost:10254
  • Rust Gateway: http://localhost:10255

Quick Start: Open Dashboard → Create Agent → Add Keys → Point agent's HTTP gateway to localhost:10255.

Key Configuration#

VariableDescriptionDefault
DATABASE_URLPostgreSQL connection stringSee .env.example
NEXTAUTH_SECRETEnables Google OAuth multi-user mode when setSingle-user mode
GOOGLE_CLIENT_IDGoogle OAuth client ID
GOOGLE_CLIENT_SECRETGoogle OAuth client secret
SECRET_ENCRYPTION_KEYAES-256-GCM master encryption keyAuto-generated

Agents authenticate with the gateway via the Proxy-Authorization HTTP header carrying their access token.

Use Cases#

  • Centralized AI agent key management and security isolation
  • Multi-agent team collaboration with permission segmentation
  • On-demand credential retrieval with Bitwarden integration
  • Secure credential middleware for MCP and AI toolchains
  • Centralized key rotation: update once, all agents automatically affected

Uncertainties#

The official website (onecli.sh) and documentation site (docs.onecli.sh) were unreachable during investigation (DNS resolution failure). The following information remains unconfirmed: production deployment best practices, complete list of external service integrations, Windows platform support, and specific Discord community link.

Related Projects

View All

Genkit

An open-source AI application building framework for full-stack apps, providing a unified SDK and developer toolchain.

PythonTypeScript
VIEW DETAILS

Gobii Platform

Always-on autonomous AI Agent platform for teams, with email/SMS channels, browser automation, and persistent memory.

PythonDocker
VIEW DETAILS

Semble

Fast and accurate code search library for AI agents, achieving ~98% token reduction over grep+read via hybrid retrieval and code-aware reranking.

PythonModel Context Protocol
VIEW DETAILS

STAY UPDATED

Get the latest AI tools and trends delivered straight to your inbox. No spam, just intelligence.