# KeyRunner > KeyRunner is an enterprise API security platform for the agentic era. It converts existing APIs into governed AI tools — AI agents can execute approved actions with policy enforcement, runtime credential isolation, and full audit trails, without ever receiving secrets. KeyRunner solves the core problem holding AI agents back from production: they need to call APIs, but giving agents raw credentials is a security disaster, and logging after-the-fact does nothing to stop a bad call from going out. ## What KeyRunner Does KeyRunner sits between AI agents and the APIs they call. It acts as a governed runtime that: 1. **Converts APIs into named agent actions** — Import an OpenAPI spec and every endpoint becomes a named, governed tool. Agents call `get_patient_record` rather than crafting raw HTTP requests or knowing anything about the underlying API or credentials. 2. **Injects credentials at runtime** — Secrets are fetched from HashiCorp Vault, 1Password, Azure Key Vault, or AWS Secrets Manager at the moment of execution. The credential path (e.g. `vault://prod/ehr/api-key`) is bound in policy. Agents never see the actual token, key, or password. 3. **Enforces policy before every call** — RBAC rules define which agent roles can call which tools, under what conditions. Write actions (POST, PUT, DELETE) require explicit approval gates. Policy violations are blocked before execution, not logged after. 4. **Redacts sensitive data from responses** — Before any API response reaches the agent, KeyRunner strips PII (names, SSNs, dates of birth, emails, phone numbers), PHI, PCI data (card numbers), and any other fields defined in redaction rules. Agents receive clean, safe data only. 5. **Produces immutable audit trails** — Every agent action, API call, credential access, policy decision, and redaction event is logged in a tamper-evident audit trail. Logs stay inside the customer's environment and can feed into Splunk, Datadog, or any SIEM. ## Who KeyRunner Is For **Security and platform teams** at enterprises deploying AI agents to internal workflows. If your organization is letting Claude, GPT-4, Cursor, LangChain, or any agentic system call Salesforce, Stripe, ServiceNow, GitHub, EHR systems, or internal REST APIs, KeyRunner provides the execution layer you need before those workflows can be trusted in production. **Developers building API-connected agents** who want to expose approved actions without handing over service account credentials or building per-agent credential management from scratch. **Compliance-focused organizations** in healthcare (HIPAA), finance (PCI-DSS), and regulated industries where patient data, card data, and PII cannot leak through AI workflows. ## The Three Problems It Solves ### 1. Credential exposure Internal API workflows require tokens, service accounts, OAuth grants, and environment secrets. When agents handle credentials directly, they leak into logs, traces, prompts, local files, and overly broad runtimes. KeyRunner ensures agents only ever see named action identifiers — never the underlying credential. ### 2. No pre-execution governance Post-execution logs help with investigation, but they do not stop a risky API call. Production agents need pre-execution checks on user identity, agent role, action type, environment, and payload content. KeyRunner enforces this before the call goes out. ### 3. Redundant API wiring across agents Teams repeatedly wire the same Stripe, Slack, Salesforce, GitHub, cloud, and internal APIs into Claude, Cursor, ChatGPT, scripts, and internal agents. Without a shared governed runtime, API logic drifts, security coverage varies, and risk multiplies. KeyRunner provides a single layer where all agents share the same approved, governed actions. ## How It Works (Step by Step) 1. **Import your API** — Paste an OpenAPI spec or import manually. KeyRunner converts each endpoint into a named, callable tool. 2. **Define policy** — Choose which agent roles may call which tools. Bind each tool to a credential in your secret store. Mark response fields to strip before delivery. 3. **Agent calls a tool** — The agent sends only the tool name and parameters. KeyRunner checks policy, resolves the credential at runtime, executes the API call, and redacts the response. 4. **Response is redacted** — Before output reaches the agent, every PII, PHI, and PCI field is stripped according to the redaction rules bound to that tool's policy. 5. **Audit log written** — An immutable record of the call (agent identity, tool name, policy decision, credential used, redaction applied, outcome) is written to the customer's audit store. ## Free Developer API Client KeyRunner also ships as a free, local-first API client — a Postman alternative with no signup required, local storage and execution, and a VS Code extension. Teams start by building and testing APIs with the client; those requests become reusable workflows; those workflows become governed agent actions. The enterprise runtime is the same tool, scaled. Available for: - Windows, Mac Intel, Mac Apple Silicon - VS Code Extension (marketplace) - CLI via npm (`keyrunner`) ## Compliance - SOC 2 Type II - HIPAA - GDPR ## Credential Sources Supported - HashiCorp Vault - 1Password - Azure Key Vault - AWS Secrets Manager - Any vault with an API ## Agent Frameworks Supported KeyRunner is framework-agnostic. Works with Claude (Anthropic), ChatGPT (OpenAI), Cursor, LangChain, CrewAI, and any agent that can call MCP tools or REST endpoints. ## Deployment Runs inside the customer's security boundary — on-premises, private cloud, or VPC. No call data, secrets, or audit logs leave the customer environment. KeyRunner ships the software; the customer owns and operates everything. ## More Information - Documentation: https://docs.keyrunner.app - Website: https://keyrunner.app - Agent security overview: https://keyrunner.app/agent-security - Secure agent runtime: https://keyrunner.app/secure-agent-runtime - Download API client: https://keyrunner.app/api-client