Your engineers don't need
to see your API keys.
Neither do your agents.

Engineers write requests. Wicket handles the credentials. Your keys stay where they belong.

ENGINEER OR AI AGENT SENDS
POST stripe.wicket.local/v1/charges
Authorization: Bearer
  urn:wicket:prod:stripe-key
X-Wicket-Token:
  wk_tok_3Dzg...
Engineer
YOUR VPC
Wicket Proxy (Open-Source, MIT)
1 Validate token
2 Resolve URN → real key
3 Substitute & forward
Secrets Manager
UPSTREAM RECEIVES
POST api.stripe.com/v1/charges
Authorization: Bearer
  sk_live_4eC39...
No X-Wicket-Token
Stripe API
RESPONSE
200 OK {"id": "ch_1Kx...", "amount": 2000, "currency": "usd", "status": "succeeded"}

Shipping AI agents? This is the missing piece.

Wicket Proxy is open source.

Wicket Proxy is MIT-licensed and fully auditable. You deploy it into your own infrastructure — we never touch your network.

Engineers can read every line of code that handles their requests. No black-box trust required.

  • Self-hosted in your VPC — the Wicket Control Plane never has network access to your environment
  • Audit the exact code that resolves URNs and injects credentials
  • Bring your existing secrets infrastructure — SSM Parameter Store, Secrets Manager, Vault. No migration required.
  • MIT license — use it commercially, modify it, ship it
  • Fully compatible with agentic runtimes — drop it into any stack running LangChain, CrewAI, or custom agent loops