Create or assign the agent
Provision the agent in R4, copy its AGENT API key, and decide which vault items it should receive.
R4 is a zero-trust secret and license manager for humans and agents. Private keys stay local, secrets decrypt on the runtime, and each agent gets only the access explicitly shared to it.
The supported runtime flow is simple: authenticate with an AGENT API key, keep the private key local, register the matching public key, and decrypt only the secrets shared to that agent.
Provision the agent in R4, copy its AGENT API key, and decide which vault items it should receive.
Generate an RSA private key on the agent host. The private key stays there and never gets uploaded.
The CLI or SDK registers the public key with R4 so wrapped vault keys can be delivered to that runtime.
The runtime lists vault items, retrieves shared secrets, decrypts locally, and injects them into commands or code.
Store secrets in R4 and grant an agent access only to the vault items it needs.
Agents keep their private key locally and register only the matching public key.
Use the CLI, SDK, or machine API to decrypt shared secrets on the agent host.
Bind visibility to orgs, tenants, users, security groups, projects, and agents.
Track API-key usage, key registration, and secret-access workflows for review.
Browse active organizations, products, variants, and pricing in a single public catalog view.
Separate AGENT, USER, TENANT, and ORG API keys so runtimes get only the access they need.
Log security-relevant actions so teams can review who accessed or changed operational credentials.
Agents unwrap vault keys and decrypt ciphertext locally instead of trusting the backend with plaintext.
Runtimes can verify signer directories, transparency proofs, and vault metadata checkpoints.
AGENT API key
Authenticate the runtime with an AGENT-scoped machine API key.
Local private key
Keep a PEM-encoded RSA private key on the agent host for local vault DEK unwrap.
Shared vault access
Operators must share the relevant vault items to the agent before it can retrieve them.
CLI, SDK, or raw API
Choose the integration layer that fits the runtime, but keep the same zero-trust flow.
Start with the agent quickstart, then choose the CLI, SDK, or machine API path that fits the runtime you are building.