← Back

The security boundary, in plain language

Agent Master Key's promise is simple: give your agent access, not your keys — kill it in one step. This page explains exactly what that promise covers, where the boundary sits, and what sits outside it. No security product should make you guess.

What Agent Master Key protects

Where the boundary sits — and what is outside it

Here is the honest version, because this is where most tools in this space go quiet: Agent Master Key mediates access per user, not per agent process. The approval prompts, scopes, and audit trail control what happens on your macOS login — they are not a wall between two programs that are both already running as you.

That has three concrete consequences:

The only kernel-enforced wall between agents today is a separate macOS user account per agent. macOS user-account protection is real: a scoped key issued on your login cannot be read from another standard account (an administrator using root privileges can read any file on the Mac). If you need hard separation between two agents, run them under different macOS accounts — AMK works fine that way.

So what does the scoped key buy you inside the boundary? Exactly what we claim and no more: your real provider key stays out of every agent config file on disk, the blast radius of any one agent is limited to the scope you granted, every action is attributed and logged, and one click ends it. That is the promise — access, not keys, killable in one step — and it holds without pretending your Mac is something it isn't. Every local tool that brokers agent access on a single macOS account shares this same ceiling; the difference is whether it is stated plainly.

Local custody

When you connect a provider, you bring an API key. It is encrypted with AES-256-GCM and stored on your Mac — there is no cloud vault in the loop, and secrets are not uploaded to Agent Master Key. The broker injects the provider key into the outbound provider request itself, refuses to replay it to redirects, and scrubs credential-shaped values from provider responses before an agent sees them. Full detail, including what we never see, is on the trust & custody page.

Update trust

A key-custody tool is only as trustworthy as its update channel, so ours is verifiable end to end:

How revocation works

An agent's access is one scoped key, honored only by the broker on your Mac. Revocation is therefore local and immediate:

Reporting a vulnerability

Email suspected vulnerabilities to security@agentmasterkey.com. Agent Master Key is newly launched; an independent third-party security review is on our roadmap, and we will only make stronger claims once that review supports them. The trust & custody page remains the canonical statement of what we store and what we never see.