Brainz Lab / Journey
Follow the Journey
2 min read

Vault is Live

Secrets management that AI can actually use

Vault is live. You can run it locally right now.

This one was personal.

I've been burned by secrets before. Hardcoded API keys in repos. .env files committed by accident. That one time a Stripe key ended up in a Slack thread. We've all been there.

But here's what really bothered me: every time I work with Claude, I hit the same wall.

"Can you check our Stripe balance?"

"I'd need access to your Stripe API key to do that."

And then I'm stuck. Do I paste the key into the chat? That feels wrong. Do I set up some complicated OAuth flow? Too much friction.

The idea

What if Claude could access secrets securely? What if there was a vault that AI could read from, but with proper access controls, audit logs, and automatic rotation?

That's Vault.

It's not just a place to store secrets. It's a secrets management system designed from the ground up for AI agents.

How it works

Store your secrets in Vault:

BrainzLab::Vault.set("stripe/api_key", "sk_live_xxx")

Then Claude can retrieve them via MCP:

"Check our Stripe balance."

Claude calls the Vault MCP tool, gets the key, makes the API call. You see exactly what was accessed in the audit log.

No pasting keys into chats. No security theater. Real access control.

Environment-aware

The part I'm most proud of: environment-specific secrets.

BrainzLab::Vault.set("stripe/api_key", "sk_test_xxx", environment: "development")
BrainzLab::Vault.set("stripe/api_key", "sk_live_xxx", environment: "production")

Claude in development gets test keys. Claude in production gets live keys. Automatically.

No more "oops I used the production key in development" moments.

Try it

You can run Vault locally in 5 minutes:

git clone https://github.com/brainz-lab/stack.git
cd stack
./scripts/setup.sh
docker-compose up -d vault timescaledb redis traefik

Open http://vault.localhost and you're in.

Full quickstart guide: /quickstart/vault

What's next

Vault is the foundation. Now I can build the other products on top of it. Recall can store its API keys in Vault. Reflex can rotate its webhook secrets automatically.

It all connects.

One product down. Thirty to go.

— Andres

All posts Follow along

Want to follow the journey?

Get Updates