Backed byY Combinator
Give your agents access,
not your secrets.
Agents talk to OneCLI. OneCLI talks to the service.
Keys never leave the vault.
$ docker run ghcr.io/onecli/onecli
gateway ready · vault unlocked
claude-agentGETgithub.com/repos/acme/app✓ key injected
n8n-flowPOSTstripe.com/v1/refunds… held for approval
cursorDELETEgithub.com/repos/acme/app✗ blocked by policy
0 keys exposed to agents
Ecosystem
Works with your whole stack
Coding agents, desktop apps, and autonomous workflows on one side. GitHub, Stripe, Postgres, Slack, and 30+ services on the other. OneCLI sits in the middle and injects scoped credentials per request.
It happened to her.
It won't happen to you.
META's head of AI safety and alignment gets her emails nuked by OpenClaw
>be director of AI Safety and Alignment at Meta
>install OpenClaw
>give it unrestricted access to personal emails
>it starts nuking emails
>"Do not do that"
>*keeps going*
>"Stop don't do anything"
>*gets all remaining old stuff and nukes it aswell*
>"STOP OPENCLAW"
>"I asked you to not do that"
>"do you remember that?"
>"Yes I remember. And I violated it."
>"You're right to be upset"



With OneCLI, agents call APIs through a gateway that injects credentials at the network layer. They never see a key, and you control exactly what they can access.
Policy engine
Rules agents can't break
Prompts are suggestions. OneCLI policies are enforced at the network layer, outside the agent, outside the LLM. No matter what the model decides, the proxy enforces your rules deterministically.
Block endpoints
Prevent agents from calling specific APIs (DELETE /repos, POST /payments, or any path you define). Enforced at the proxy, not a suggestion.
Rate limit per agent
Cap how many requests an agent can make per minute, hour, or day. Stop runaway loops before they cause damage.
Require approval
Flag sensitive operations for human review before they go through. Agents wait, you decide.
Scope per project
Each agent only accesses the credentials and services assigned to its project. No cross-project leakage.
Compatibility
Drop-in security for any agent
One command. Zero code changes. Your agents stay secure.
$ docker run ghcr.io/onecli/onecliCoding Agents
Your Cursor or Claude agent pushes to GitHub, creates Jira tickets, and deploys to Vercel, all through OneCLI's gateway. Credentials injected, never exposed.
Autonomous Workflows
n8n, Dify, or custom pipelines call Slack, Google Calendar, and Stripe APIs. OneCLI injects OAuth tokens per-request. Revoke access instantly.
Team Governance
10 agents across 3 projects. Rate limits on the Slack API, approval rules for payment endpoints, full audit logs. One dashboard.
Security & Compliance
Show exactly which agent called which API, when, and what credentials were used. No keys in logs, no keys in prompts.
AI researcher
“CLIs are super exciting precisely because they are a “legacy” technology, which means AI agents can natively and easily use them.”
CEO, Vercel
“Google has shipped a CLI for Google Workspace. 2026 is the year of Skills & CLIs.”
OpenClaw creator
“Agents are really, really good at calling CLIs (actually much better than calling MCPs).”
COO, GitHub
“GitHub Copilot CLI is generally available with custom agents, multi-model autopilot, and much more.”
FAQ
Common questions
What is OneCLI?
OneCLI is an open-source credential gateway for AI agents: a secure gateway, an encrypted vault, and a dashboard in one Docker container. Agents make API calls through OneCLI, and credentials are injected at the network layer, so keys never leave the vault.
How does OneCLI keep API keys away from agents?
Credentials live in an encrypted vault (local KMS or OneCLI Cloud) and are injected per-request at the proxy boundary. The agent and the LLM never see a key: not in environment variables, not in prompts, not in logs.
Does it work with my agent framework?
Yes. OneCLI is framework-agnostic: OpenClaw, NanoClaw, IronClaw, Dify, n8n, OpenHands, or any custom pipeline that makes HTTP calls. There are no code changes. Agents route through the gateway with one command.
What can I enforce?
Block specific endpoints, rate-limit per agent, require human approval for sensitive operations, and scope credentials per project. Policies are enforced at the network layer, outside the agent and outside the LLM. They are rules, not suggestions.
Is OneCLI open source?
Yes. OneCLI is Apache 2.0 licensed and developed in the open on GitHub. Self-host it for free with Docker, or use OneCLI Cloud if you want a managed vault and dashboard.
How long does setup take?
One command: docker run ghcr.io/onecli/onecli starts the gateway, vault, and dashboard. The free tier covers 2 agents forever, with no credit card required.
Get started
Start securing your agents today
Free forever for up to 2 agents. No credit card required.