Cred

Cred acts as a middleware broker that enables AI agents to obtain short‑lived OAuth access tokens without exposing long‑lived refresh tokens. A developer registers an application, deploys the self‑hosted Cred vault, configures supported providers such as Google, GitHub, or Slack, and gives the agent a bearer token and server URL. When a user grants consent through a standard OAuth flow, Cred stores the refresh token encrypted in the vault, then on behalf of the agent performs a PKCE‑protected exchange and returns a fresh access token while keeping the refresh token locked away.

The system records each delegation with an Ed25519‑signed receipt, providing an append‑only audit trail, and supports instant revocation that invalidates tokens across all agents. Encryption of stored tokens uses AES‑256‑GCM with per‑account keys, and key management can be delegated to services like AWS KMS or HSMs.

Cred is released as open‑source packages for TypeScript, Python, and other runtimes, offering a simple API that abstracts the OAuth handshake and vault interaction, allowing developers to focus on agent logic rather than credential plumbing.