A secure secret management service designed specifically for AI agents. Vincent stores secrets on behalf of users and executes actions using those secrets when requested by authorized agentsβthe agent never sees the actual secret value.
π Try it live: heyvincent.ai
AI agents increasingly need to perform sensitive operations that require secrets (wallet keys, API keys, credentials). Current approaches either:
- Give agents direct access to secrets β risky, agents could leak or misuse them
- Require manual approval for every action β slow, poor UX
Vincent provides a middle ground: agents can request actions that use secrets, but policies control what actions are allowed, and humans can approve when needed.
- Secure Secret Storage β Secrets stored in PostgreSQL (encrypted at rest), never exposed to agents
- Smart Wallet Skill β EVM wallet operations via ZeroDev smart accounts with gas sponsorship
- Polymarket Skill β Place prediction market bets with policy controls
- Token Swaps β Swap tokens via 0x aggregator with spending limits
- Policy Engine β Spending limits, address allowlists, token allowlists, and more
- Human Approval β Telegram bot for approving sensitive transactions
- Audit Logging β Complete transaction history with input/output data
- Billing Integration β Stripe subscriptions for mainnet gas sponsorship
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β AI Agent ββββββΆβ Vincent API βββΆβ PostgreSQL β
β β β (Backend) β β (Secrets DB) β
βββββββββββββββββββ ββββββββββ¬βββββββββ βββββββββββββββββββ
β
βΌ
βββββββββββββββββββ
β Skill Executor β
β (ZeroDev/0x) β
βββββββββββββββββββ
β
ββββββββββββββββββββββββββΌβββββββββββββββββββββββββ
βΌ βΌ βΌ
βββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β Telegram Bot β β Frontend App β β Blockchain β
β (Approvals) β β (User Portal) β β (EVM Chains) β
βββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
Secrets are stored encrypted and never exposed to agents. Each secret has:
- A type (e.g.,
EVM_WALLET) - A memo for user notes
- A claim token for ownership transfer
Skills are capabilities tied to secret types. Current skills:
- EVM Wallet β Transfer ETH/ERC20, send transactions, swap tokens
- Polymarket β Place bets, check positions, browse markets
Policies govern how secrets can be used:
| Policy | Description |
|---|---|
ADDRESS_ALLOWLIST |
Only interact with approved addresses |
FUNCTION_ALLOWLIST |
Only call approved contract functions |
TOKEN_ALLOWLIST |
Only transfer approved tokens |
SPENDING_LIMIT_PER_TX |
Max USD value per transaction |
SPENDING_LIMIT_DAILY |
Max USD value per 24 hours |
SPENDING_LIMIT_WEEKLY |
Max USD value per 7 days |
REQUIRE_APPROVAL |
Always require human approval |
APPROVAL_THRESHOLD |
Require approval above USD amount |
Each secret can have multiple API keys for agent access. Keys are bcrypt-hashed and prefixed with ssk_.
| Component | Technology |
|---|---|
| Backend | Node.js + TypeScript + Express 5 |
| Database | PostgreSQL + Prisma |
| Authentication | Stytch |
| Smart Accounts | ZeroDev (Kernel v3.1, EntryPoint v0.7) |
| DEX Aggregator | 0x Swap API v2 |
| Prediction Markets | Polymarket CLOB API |
| Token Balances | Alchemy Portfolio API |
| Payments | Stripe |
| Approval Bot | Telegram (grammy) |
| Frontend | React + TypeScript + Vite + Tailwind CSS v4 |
- Node.js >= 20.0.0
- PostgreSQL database
- Account credentials for external services (see Environment Variables)
# Install backend dependencies
npm install
# Install frontend dependencies
npm --prefix frontend install
# Generate Prisma client
npm run db:generate
# Run database migrations
npm run db:migrateCopy .env.example to .env and configure:
# Server
NODE_ENV=development
PORT=3000
# Database
DATABASE_URL=postgresql://user:pass@localhost:5432/Vincent
# Stytch Authentication
STYTCH_PROJECT_ID=
STYTCH_SECRET=
STYTCH_ENV=test
# ZeroDev Smart Accounts
ZERODEV_PROJECT_ID=
ZERODEV_API_KEY=
# Stripe Billing
STRIPE_SECRET_KEY=
STRIPE_WEBHOOK_SECRET=
STRIPE_PRICE_ID=
# Telegram Bot
TELEGRAM_BOT_TOKEN=
# Price Oracle
COINGECKO_API_KEY=
# Token Balances
ALCHEMY_API_KEY=
# 0x DEX Aggregator
ZEROX_API_KEY=# Development (backend + frontend)
npm run dev:all
# Backend only
npm run dev
# Frontend only
npm run dev:frontend
# Production build
npm run build
npm start| Endpoint | Description |
|---|---|
POST /api/secrets |
Create secret (returns API key + claim URL) |
GET /api/secrets/info |
Get secret metadata via API key |
POST /api/secrets/:id/claim |
Claim a secret (requires auth) |
POST /api/secrets/relink |
Exchange relink token for new API key |
| Endpoint | Description |
|---|---|
POST /api/skills/evm-wallet/transfer |
Transfer ETH or ERC20 |
POST /api/skills/evm-wallet/send-transaction |
Execute arbitrary transaction |
POST /api/skills/evm-wallet/swap/preview |
Preview token swap |
POST /api/skills/evm-wallet/swap/execute |
Execute token swap |
GET /api/skills/evm-wallet/balance |
Get ETH/ERC20 balance |
GET /api/skills/evm-wallet/balances |
Get portfolio balances (multi-chain) |
GET /api/skills/evm-wallet/address |
Get smart account address |
| Endpoint | Description |
|---|---|
POST /api/skills/polymarket/bet |
Place a bet |
GET /api/skills/polymarket/positions |
Get open positions |
GET /api/skills/polymarket/markets |
Search markets |
GET /api/skills/polymarket/balance |
Get USDC balance |
DELETE /api/skills/polymarket/orders/:id |
Cancel order |
| Endpoint | Description |
|---|---|
GET /api/secrets/:id/policies |
List policies |
POST /api/secrets/:id/policies |
Create policy |
DELETE /api/secrets/:id/policies/:policyId |
Delete policy |
| Endpoint | Description |
|---|---|
GET /api/billing/subscription |
Get subscription status |
POST /api/billing/subscribe |
Create Stripe checkout session |
GET /api/billing/usage |
Get current month gas usage |
- Agent calls
POST /api/secretswithtype: "EVM_WALLET" - API generates EOA private key, creates ZeroDev smart account
- Returns API key, claim URL, and smart account address
- Agent immediately starts using the wallet via API
- Owner later claims via URL, adds policies
- Agent calls skill endpoint with API key
- Backend validates API key and checks policies
- If allowed β execute immediately
- If requires approval β send Telegram notification
- If denied β return error
- Return result to agent
- User configures Telegram in the frontend
- User starts conversation with Vincent bot
- When approval needed, bot sends message with action details
- User taps Approve or Deny
- Action executes or fails accordingly
- Free tier: Testnets only, unlimited usage
- Pro tier: $10/month subscription + mainnet gas costs
Gas is sponsored via ZeroDev paymaster. Mainnet gas costs are passed through at cost.
# Run tests
npm test
# Run tests in watch mode
npm run test:watch
# Lint code
npm run lint
# Format code
npm run format
# Open Prisma Studio
npm run db:studio/src
/api # Express routes and middleware
/services # Business logic (secrets, auth, policies)
/skills # Skill implementations (EVM wallet, Polymarket)
/policies # Policy checking engine
/db # Prisma client
/types # TypeScript types
/utils # Helpers (env, response formatting)
/telegram # Telegram bot for approvals
/audit # Audit logging service
/billing # Stripe integration & gas tracking
/prisma # Schema & migrations
/frontend # React application
/skills # Skill documentation for agents
- Database Encryption: PostgreSQL encrypted at rest
- API Key Hashing: Keys hashed with bcrypt, shown once on creation
- Rate Limiting: Configurable rate limits on all endpoints
- Audit Logging: All actions logged with full inputs/outputs
- Claim Token Security: One-time use, expire after 7 days
- Secret Isolation: Agents never see raw secret values
Pushing to main will automatically deploy to Railway at heyvincent.ai.
To publish the Agent Wallet skill to Clawhub:
./scripts/publish_skill.shThis script will:
- Bump the patch version in
package.json - Copy
skills/wallet/SKILL.mdtofrontend/public/SKILL.md - Copy
skills/wallet/SKILL.mdto../agent-skills/skills/wallet/SKILL.md - Publish to Clawhub with the new version
ISC