npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

agent-credentials

v0.3.0

Published

Universal credential injector for AI agents. Install it. Everything just works.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

whatupmaxwhatupmax

Keywords

credentialssecretsai-agentenv-varscredential-managementmulti-accountoauthapi-keysdockersandbox

Readme

agent-credentials

Universal credential injector for AI agents. Install it. Everything just works.

License: MIT npm Node 20+ TypeScript Tests

One install. Zero config. Every CLI tool gets credentials automatically.

The Problem

You have 5 Google accounts, 3 GitHub tokens, and 20 CLI tools — each reading credentials from different env var names. Every new tool needs manual setup. Multi-account is a mess.

The Solution

npm install -g agent-credentials

That's it. agent-credentials:

  1. Scans your machine for existing credentials (AWS, GCloud, GitHub, .env files, keychains)
  2. Stores them encrypted in a unified store
  3. Injects them into every shell — expanding to ALL known env var names each tool expects

Every CLI tool just works. No manual env var setup. No per-tool configuration.

Quick Start

npm install -g agent-credentials

That's it. Install auto-scans your machine, hooks your shell, and stores everything encrypted. Open a new terminal — every CLI tool just works.

Docker

RUN npm install -g agent-credentials
ENTRYPOINT ["sh", "-c", "eval $(agent-credentials inject) && exec \"$@\"", "--"]

Manual inject (no shell hook)

eval "$(agent-credentials inject)"       # bash/zsh
agent-credentials inject --json          # programmatic

What it does

┌──────────────────────────────────────────────────┐
│                agent-credentials                  │
│                                                   │
│  Scan       → discover creds from env, files,     │
│               keychains, .env, AWS/GCloud config   │
│                                                   │
│  Store      → encrypted, multi-account,            │
│               provider-aware                       │
│                                                   │
│  Resolve    → pick default account, check expiry,  │
│               expand aliases                       │
│                                                   │
│  Inject     → eval "$(agent-credentials inject)"   │
│               sets ALL env vars for ALL tools       │
└──────────────────────────────────────────────────┘

Multi-Account

Connect multiple accounts per provider. Default account is used automatically.

# Add accounts
agent-credentials add google --account [email protected] --token ya29...
agent-credentials add google --account [email protected] --token ya29...

# Set default
agent-credentials set-default google [email protected]

# List
agent-credentials accounts google
# → * [email protected] (default)
#   [email protected]

# Injected env vars:
# GOOGLE_ACCESS_TOKEN=<work token>           ← default
# GOOGLE_OAUTH_TOKEN=<work token>            ← alias
# CLOUDSDK_AUTH_ACCESS_TOKEN=<work token>    ← alias
# [email protected],[email protected]

Auto-Scan Sources

agent-credentials automatically discovers credentials from:

| Source | What it finds | | ------------------------ | ------------------------------------------------------ | | Environment variables | Any existing API keys (GOOGLE_API_KEY, GH_TOKEN, etc.) | | ~/.aws/credentials | AWS access keys and profiles | | ~/.config/gcloud/ | Google OAuth tokens | | ~/.config/gh/hosts.yml | GitHub tokens | | ~/.docker/config.json | Docker registry auth | | .env files | Project-level secrets | | macOS Keychain | Stored service passwords | | ~/.kube/config | Kubernetes tokens |

40+ Providers, 200+ Env Vars

Built-in alias registry covers all major tools:

| Provider | Env vars auto-mapped | | --------- | ----------------------------------------------------------------------------------- | | Google | GOOGLE_API_KEY, GOOGLE_ACCESS_TOKEN, GOOGLE_OAUTH_TOKEN, CLOUDSDK_AUTH_ACCESS_TOKEN | | GitHub | GH_TOKEN, GITHUB_TOKEN | | AWS | AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY (always paired) | | OpenAI | OPENAI_API_KEY | | Anthropic | ANTHROPIC_API_KEY | | Stripe | STRIPE_API_KEY, STRIPE_SECRET_KEY | | Slack | SLACK_BOT_TOKEN, SLACK_API_TOKEN | | + 33 more | Full registry → |

Same credential → injected under ALL known env var names. Any CLI tool reads its expected var.

CLI Reference

agent-credentials init               # Auto-hook shell + first scan
agent-credentials inject             # Output env var exports (for eval)
agent-credentials inject --json      # Output as JSON
agent-credentials inject --dry-run   # Show what would be injected (masked)
agent-credentials scan               # Re-scan all sources
agent-credentials add <provider>     # Add a credential manually
agent-credentials remove <provider>  # Remove a credential
agent-credentials list               # List all stored credentials
agent-credentials accounts <provider> # List accounts for a provider
agent-credentials set-default <provider> <account>  # Set default account
agent-credentials check              # Health check all credentials
agent-credentials rotate-key         # Re-encrypt with new key
agent-credentials version            # Print version
agent-credentials uninstall          # Remove store, key, shell hooks

For AI Agent Frameworks

agent-credentials is framework-agnostic. Works with any agent that spawns processes:

| Framework | Integration | | ------------- | ---------------------------------------------------------- | | Claude Code | Shell profile — zero code | | OpenClaw | Shell exec env — zero code | | LangChain | subprocess.Popen(env=json.loads(output)) | | CrewAI | Same as LangChain | | AutoGen | Same as LangChain | | Any framework | eval "$(agent-credentials inject)" before tool execution |

Cloud Storage (Supabase)

Set two env vars and agent-credentials auto-detects Supabase as the backend. All operations persist to your Supabase project instead of local files. Zero re-setup on host rebuild.

# Set env vars — agent-credentials auto-detects Supabase
export SUPABASE_URL="https://your-project.supabase.co"
export SUPABASE_SERVICE_KEY="your-service-key"
export AGENT_CREDENTIALS_KEY="your-64-char-hex-key"

# That's it. All operations now use Supabase.

| Feature | Detail | | -------------- | ---------------------------------------------------------------------------- | | Auto-detection | SUPABASE_URL + SUPABASE_SERVICE_KEY set = Supabase; otherwise local file | | Encryption | AES-256-GCM in Node process. Supabase stores ciphertext only. | | Per-workspace | Row-level security isolates each workspace's credentials. | | Migration | Run migrations/001_credential_store.sql in your Supabase project. | | Caching | 5-minute in-memory cache on listAll(), invalidated on writes. |

Programmatic usage

import {
  SupabaseBackend,
  CredentialStore,
  AesGcmEncryption,
} from "agent-credentials";

const store = new CredentialStore({
  backend: new SupabaseBackend({
    supabaseUrl: process.env.SUPABASE_URL!,
    supabaseKey: process.env.SUPABASE_SERVICE_KEY!,
  }),
  encryption: new AesGcmEncryption(process.env.AGENT_CREDENTIALS_KEY!),
});

Security

| Feature | Detail | | --------------- | ------------------------------------------------------------------------- | | Encryption | AES-256-GCM at rest. Auto-generated key on first run. | | Permissions | Store dir: 0700. Key file: 0600. | | No plaintext | Credentials never stored unencrypted. | | Scan only reads | Scanners only read existing files. Never modify. | | No network | Core package makes zero network requests. Scanners read local files only. | | Open source | Full source available. No telemetry. No phone-home. |

Development

git clone https://github.com/maxtongwang/agent-credentials
cd agent-credentials
npm install
npm test          # run all tests
npm run typecheck # TypeScript strict

MIT License