AGENT KEY MANAGEMENT & CREDENTIAL PROXY

Arsenal

Agent-native API key management with short-lived, scoped Agent Capability Tokens (ACTs). Minimizes blast radius through proof-of-possession binding, cryptographically-linked audit trails, and least-privilege scoping.

58.4KLOC

7crates

1languages

Capabilities

Agent Capability Token (ACT) framework

Short-lived tokens (30s to 10min TTL)

Proof-of-possession binding

mTLS-required broker communication

Encrypted secret storage

Hash-chained audit logging

7 Crates

Inside Arsenal

Every crate in the Arsenal workspace, what it does, and how it fits together.

arsenal-core

8.2K LOC

ACT token format, scope model (service:resource:action), and token lifecycle. Defines the CapabilityToken type with all constraint fields.

arsenal-crypto

6.1K LOC

Ed25519 + X25519 key operations, XChaCha20-Poly1305 encryption, HKDF key derivation, and constant-time token comparison.

arsenal-store

9.4K LOC

Encrypted secret storage with in-memory, file, and database backends. All secrets encrypted with XChaCha20-Poly1305.

arsenal-policy

7.8K LOC

Declarative policy engine with CBOR serialization. 6 constraint types: device, session, origin, network, time window, environment.

arsenal-broker

12.3K LOC

mTLS-required broker gateway. Validates proof-of-possession, enforces scope narrowing, and manages secret injection.

arsenal-sdk

5.6K LOC

Client SDK for requesting and managing ACTs. Handles token refresh, scope negotiation, and audit log submission.

arsenal-audit

8.9K LOC

Hash-chained audit logging with tamper detection. Each entry links to the previous via BLAKE3 hash.

Cryptography

Ed25519

X25519

XChaCha20-Poly1305

HKDF-SHA256

BLAKE3

Argon2id

Available in

Rust

Install

$ cargo add arsenal

Start building with Arsenal

Read the documentation or explore the source.

Documentation View source