Skip to main content
OneCLI gives agents secure access to external services through a transparent gateway, encrypted secret store, and web dashboard.

Architecture overview

Rust gateway

The gateway (apps/proxy) is a fast HTTP gateway built in Rust that intercepts outbound requests and injects credentials. Agents authenticate with access tokens via Proxy-Authorization headers. How it works:
  1. Your agent makes a normal HTTP request (e.g., GET https://www.googleapis.com/calendar/v3/events)
  2. The request goes through the gateway instead of directly to the internet
  3. The gateway matches the target host and path against stored secrets, decrypts the matching credentials, and injects the appropriate auth headers (Bearer token, API key, etc.)
  4. The request is forwarded to the service with credentials attached
  5. The response passes back through to your agent unchanged
Details:
  • Runs on port 10255
  • Agents authenticate with access tokens (each agent gets its own scoped token)
  • Host and path pattern matching routes secrets to the right API endpoints
  • MITM interception for HTTPS traffic
  • Built in Rust for low-latency proxying

Secret store

The secret store uses AES-256-GCM encryption at rest. Secrets are decrypted only at request time, matched by host and path patterns, and injected by the gateway as headers. Credentials are never stored in plain text. The encryption key is auto-generated on first run or can be set via the SECRET_ENCRYPTION_KEY environment variable.

Web dashboard

The dashboard (apps/web) runs on port 10254 and is where you manage everything:
  • Create agents with scoped access tokens
  • Add, rotate, and revoke secrets for any service
  • Configure host and path patterns for credential matching
  • See which agent accessed which service and when (audit logs)

Auth modes

OneCLI supports two authentication modes:
ModeWhen to useConfiguration
Single-user (default)Local development, personal useNo config needed
Google OAuthTeams, shared instancesSet NEXTAUTH_SECRET, GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET

Stack

ComponentTechnology
GatewayRust (port 10255)
Web dashboardNext.js (port 10254)
DatabaseEmbedded PGlite (or bring your own PostgreSQL)
Secret storageAES-256-GCM encrypted
ORMPrisma

Project structure

apps/
  web/            # Next.js app (dashboard + API, port 10254)
  proxy/          # Rust gateway (credential injection, port 10255)
packages/
  db/             # Prisma ORM + migrations + PGlite
  ui/             # Shared UI components (shadcn/ui)
docker/
  Dockerfile      # Single-container build (gateway + web + PGlite)
  docker-compose.yml