The vault infrastructure
for autonomous credential management.
Developers building credential management agents need a secure vault to store secrets and email primitives to notify teams about rotations. Mailgent provides AES-256-GCM encrypted storage and email API so your agent can manage the full credential lifecycle.
API Primitives used
vault.storeStore credentials
Save API keys, passwords, tokens, and TOTP seeds. Encrypted at rest, scoped per identity.
vault.getRetrieve credentials
Decrypt and return stored secrets at runtime. Every access is logged with timestamps and calling identity.
vault.totpGenerate access codes
Produce TOTP codes for services that require 2FA during credential rotation.
mail.sendNotify on rotation
Email teams when credentials are rotated, expiring, or compromised. No secrets in the email body.
Credentials rot. Rotation is manual. Leaks happen.
Every engineering team has API keys that have not been rotated in months, shared passwords in Slack DMs, and service accounts with credentials known by people who left the company six months ago. Manual credential management does not scale, and the consequences of getting it wrong — data breaches, unauthorized access, compliance violations — are severe.
Developers building credential management agents need an encrypted vault and notification primitives. Mailgent provides vault.store for encrypted storage, vault.get for secure retrieval, vault.totp for 2FA during rotations, and mail.send to alert teams when credentials change.
How to build it.
vault.storeStore credentials securely
Your agent stores API keys, database passwords, and service tokens using vault.store. Each credential is encrypted with AES-256-GCM and scoped to the appropriate agent identity.
vault.getRotate on schedule
The agent retrieves expiring credentials with vault.get, generates new ones via the provider's API, stores the new values, and updates dependent services.
mail.sendNotify stakeholders
After rotation, the agent sends notification emails using mail.send — confirming the rotation, listing affected services, and noting the next scheduled rotation. No secrets in the email.
Example prompt
“Check for any API keys older than 90 days. Rotate them, store the new keys in the vault, update the staging environment, and email the engineering team with a summary of what changed.”
What developers build.
API key rotation
Build agents that track API key ages, rotate them before expiry, store new keys in the vault, and update all dependent systems automatically.
Password policy enforcement
Build agents that check password ages against your policy, force rotation when overdue, and notify account owners via email.
Credential leak response
Build agents that detect exposed credentials in security alerts, immediately rotate the compromised secret, update all affected systems, and notify the security team via email.
Service account management
Build agents that maintain an inventory of service accounts, rotate their credentials quarterly, and report orphaned accounts that no system uses.
Why not use a secrets manager?
Secrets managers like AWS Secrets Manager or HashiCorp Vault store credentials well, but they do not manage the lifecycle. Rotation, notification, and cleanup are still manual or require custom Lambda functions and webhook plumbing.
Mailgent gives your agent vault primitives and email primitives in one place. vault.store handles encrypted storage, vault.get handles retrieval, and mail.send handles team notification. Your agent manages the full lifecycle with a simple tool chain.
AES-256-GCM encryption
Every credential encrypted at rest with AES-256-GCM. Keys are managed per-identity.
Scoped access
Each agent identity has its own vault partition. A deployment agent cannot access a billing agent's secrets.
Access audit log
Every vault.get and vault.store call is logged with the calling identity and timestamp.