Documentation Overview
Ephos is a high-performance, zero-knowledge Identity Broker designed to secure the connection between autonomous AI agents and sensitive API credentials.
AI agents are increasingly autonomous, but they typically handle API keys in raw form within `.env` files or system prompts. This creates a massive attack surface: prompt injection can leak keys, and compromised agents can exfiltrate credentials instantly.
The Mental Model
Ephos shifts the paradigm from Secret Management to Identity Brokering. Instead of giving an agent a secret, you give it an identity that has the permission to use a secret through a secure proxy.
Core Terminology
Phantom Keys (`pk_xxx`)
The "Master Secret." This is the raw API key (e.g., your OpenAI or Stripe key) encrypted client-side using your Master Passphrase. Ephos never sees this key in its raw form; it exists only as an opaque, encrypted blob in our vault.
Ephos Tokens (`et_xxx`)
The "Agent Credential." You mint these tokens from a Phantom Key. They are scoped, revocable, and tied to specific domains. If a token is stolen, the "blast radius" is limited to the specific permissions you granted it.
The Secure Tunnel
When an agent makes a request using an Ephos Token, our Gateway retrieves the encrypted Phantom Key, decrypts it into volatile RAM for the duration of the request, executes the call, and then wipes the memory clean. The agent never sees the raw key.
Who is Ephos for?
- AI Developers: Building autonomous agents that need to perform actions in SaaS tools.
- Security Teams: Wanting to implement Zero-Trust principles for non-human identities.
- Enterprise Orgs: Needing to delegate production API access to developers without exposing the underlying secrets.