NIST-approved algorithms. Zero-knowledge architecture. Open-source cryptography. Every claim on this page is verifiable in the source code.
Every algorithm is NIST-approved, industry-standard, and implemented via audited libraries. We assembled proven building blocks — we didn't invent our own.
The credential proxy intercepts outbound API calls, injects authentication at runtime, filters sensitive data from responses, and logs every operation. The agent receives results — never raw secrets.
The agent calls the Davy.Locker proxy with the service name and intended action. It does not include any credential material — it doesn't have any.
proxy.request("stripe", "list_invoices")Does this agent have a valid grant for this credential? What risk tier? Session-based grants auto-expire. High and critical tiers require explicit human approval before proceeding.
grant: session risk: medium scope: read-onlyThe encrypted credential is retrieved from the vault, decrypted using the derived key, and held in memory only for the duration of the request. Never written to disk in plaintext. Never returned to the agent.
AES-256-GCM decrypt USE_ONLY modeThe proxy constructs the outbound HTTP request to the target API and injects the authentication header directly. The credential travels from vault to API call without the agent touching it.
Authorization: Bearer sk_***The raw API response passes through a lens — a per-service filter that strips sensitive fields (bank accounts, tax IDs, PII) before the agent sees anything. The agent gets the data it needs. Nothing it doesn't.
lens: "business-view" redacted: bank_account, ssnEvery credential access, API call, response status, and redaction action is recorded in an immutable, timestamped audit entry. Who, what, when, result — always.
agent: research-bot credential: stripe-prod action: list_invoices status: 200Every credential is assigned a risk tier. The tier determines whether access is automatic, one-tap, or requires explicit human approval every time.
Access expires when the agent session ends. Ideal for one-off tasks. No cleanup required — revocation is automatic.
Access expires after a fixed duration (1 hour, 24 hours, 7 days). Suitable for scheduled jobs and recurring tasks with natural boundaries.
Long-lived access for trusted agents. Still scoped by permission level and monitored continuously. Can be revoked instantly.
Every credential access is logged with an immutable, timestamped entry capturing the full context: which agent, which credential, what action, what result. No blind spots.
Immutable entries — append-only log, no retroactive edits
Full request metadata — agent ID, credential ID, service, action, timestamp, status code
Local storage (Free) — audit log stored on your machine, no external dependency
Encrypted cloud sync (Pro) — centralized dashboard with cross-server search
A monitoring layer that watches audit logs in real-time, learns what normal looks like, and responds to threats faster than a human can. Not a guarantee — a second set of eyes that never blinks.
Establishes behavioral baselines per agent. 847 API calls in 12 minutes when the norm is 30 per hour? Flagged instantly. Pattern deviations trigger alerts before damage spreads.
When a credential is flagged as compromised, The Kraken rotates it via the provider's API. All clean agents receive the new key automatically. The compromised grant is revoked.
Continuously scans for stale permissions. Agent hasn't used a grant in 90 days? Flagged for revocation. Unused access is the most dangerous kind — The Kraken keeps the list tight.
Alert routing via Slack, email, or webhook. Full incident reports with timeline, affected credentials, and remediation steps. You review over coffee — the bank is already secure.
The Kraken is a monitoring layer, not a silver bullet. It detects anomalies against learned baselines and can auto-rotate credentials via provider APIs that support it. It reduces response time from hours to seconds. But no system catches everything. Defense in depth — multiple layers, each compensating for the others — is the only real strategy.
Auto-rotation requires the service provider to expose a rotation API. Currently supported or planned:
Security claims are cheap. Architectural guarantees are not. These aren't policies — they're structural impossibilities built into the design.
Credentials are encrypted client-side before any storage or sync. Our servers receive ciphertext only. We cannot decrypt it, by design.
Your master password never leaves your device. It is used locally for Argon2id key derivation. We don't store it, hash it, or transmit it. If you lose it, your vault is gone.
No analytics on credential content. No metadata monetization. No third-party data sharing. The free tier is funded by the paid tier, not by your information.
Zero-knowledge means zero capability. There is no master key, no recovery backdoor, no "law enforcement access." If you lose your master password, we cannot help you. That's the point.
The core SDK is open source. Every encryption operation, every key derivation, every proxy decision is in the code. No obfuscation. No proprietary cryptography. No "trust us" — trust the math.
@davy/crypto — AES-256-GCM encryption, Argon2id key derivation, X25519 key exchange, secure random generation
@davy/vault — Encrypted credential storage, folder organization, search, password generator
@davy/agent-auth — Permission model, credential injection proxy, grants, sessions, audit log, policies
No proprietary encryption — Every algorithm is NIST-approved, implemented via well-known, audited libraries
Why open source matters for security. Closed-source security is an oxymoron. You're trusting a claim instead of verifying a fact. Our cryptographic layer is fully auditable. Read it, fork it, run the tests. If you find a vulnerability, open an issue.
Every cryptographic claim on this page corresponds to code you can read, tests you can run, and algorithms you can verify against their published standards.