Documentation Overview

Ephos is a high-performance, zero-knowledge Identity Broker designed to secure the connection between autonomous AI agents and sensitive API credentials.

The Mental Model

Ephos shifts the paradigm from Secret Management to Identity Brokering. Instead of giving an agent a secret, you give it an identity that has the permission to use a secret through a secure proxy.

Phantom Keys (`pk_xxx`)

The "Master Secret." This is the raw API key (e.g., your OpenAI or Stripe key) encrypted client-side using your Master Passphrase. Ephos never sees this key in its raw form; it exists only as an opaque, encrypted blob in our Zero-Knowledge Vault.

Ephos Tokens (`et_xxx`)

The "Agent Credential." You mint these tokens from a Phantom Key. They are unique, revocable identities that act as a pointer to the underlying master secret without ever exposing it.

Token Secrets (`ps_xxx`)

The scoped execution credential. Token Secrets allow agents to request delegated access through Ephos without ever receiving the underlying master API key. Unlike production credentials, Token Secrets are isolated, revocable, and constrained by policy scope.

Ephos Enclave

When an agent makes a request using an Ephos Token + Token Secret, our Gateway validates the identity, retrieves the encrypted Phantom Key, and decrypts it into Ephemeral Memory within the Ephos enclave. The request executes statelessly, and the secret is immediately wiped from memory. The agent never sees the raw key.

Who is Ephos for?

• AI Developers: Building autonomous agents that need to perform actions in SaaS tools.
• Security Teams: Wanting to implement Zero-Trust principles for non-human identities.
• Enterprise Orgs: Needing to delegate production API access to developers without exposing the underlying secrets.