@fundamental-research-labs/sfae
v0.0.9
Published
Credential gateway CLI for agents making authenticated API requests
Readme
SFAE — Speak Friend, and Enter
Pronounced "safe." sfae.io
SFAE lets AI coding agents make authenticated API calls and database queries without ever seeing your credentials. Agents use placeholders such as {ACCESS_TOKEN} or {PASSWORD}. SFAE resolves them from secret storage at execution time, so secrets stay out of chat and out of the context window.
Features
- Secret-manager storage — macOS Keychain, Windows Credential Manager, Linux Secret Service, or an authenticated SFAE backend.
- Credentials agents can request safely — API keys, Basic Auth, OAuth 2.0, and more.
- Communication protocols — HTTP by default, plus Postgres and Redis with
--protocol.
Install
Install the SFAE skill in the current project:
curl -fsSL https://sfae.io/install-skill.sh | shBy default this installs the skill for supported agent targets. To target one agent, pass a flag such as --codex, --claude, or --grok.
curl -fsSL https://sfae.io/install-skill.sh | sh -s -- --codexThe skill includes a small CLI installer. When an agent needs SFAE and the sfae command is not available yet, it can install the CLI through the bundled helper. CLI-only installation and command details live in docs/cli.md.
Quick Start
You normally do not need to run SFAE commands yourself. Install the skill, then ask your agent to use SFAE for authenticated work:
Use SFAE to call the GitHub API and tell me who I am. If credentials are missing, open the SFAE browser form. Do not ask me to paste secrets into chat.Use SFAE for the API call in this repo. Read the service's official API/auth docs first, collect credentials through SFAE if needed, then make the request with placeholders.The agent checks which credentials exist, opens a web form when something is missing, and makes the authenticated request with placeholders. You provide secrets only in the browser form, not in chat.
How It Works
- The agent reads the service's official API/auth docs and checks for stored credentials.
- SFAE offers you a web form for anything missing.
- The agent makes HTTP, Postgres, or Redis requests with placeholders, and SFAE resolves them from secret storage.
Roadmap
| Area | Work | | --- | --- | | Authentication | x.509 certificate authentication | | Protocol | Support MySQL / MariaDB | | Protocol | Support MongoDB | | Protocol | Support Microsoft SQL Server / TDS | | Protocol | Support ClickHouse | | Product | Add a credential management UI |
License
MIT
