See, control, and reduce risk for non-human access to your APIs and agents.

Manifest format (MVP)

JSON inventory: version, environment, and a list of identities with kind, owner, resource hints, and optional secret_fingerprint (hash prefix only — never paste cleartext keys).

{
  "version": "1.0",
  "environment": "production",
  "identities": [
    {
      "id": "ingest-worker-prod",
      "kind": "service_account",
      "name": "Ingest queue worker",
      "owner": "platform",
      "resources": [{ "type": "api", "path_prefix": "/internal/ingest" }],
      "secret_fingerprint": "a1b2c3d4e5f678901234567890abcd12"
    }
  ]
}

Manifest → inventory

Validation runs in your browser first. Export downloads JSON locally. If you are signed in (same account as Agent Security), you can save a snapshot to the server for your user — stored as validated JSON metadata only.

Loading…

Correlate with API Risk (IDEA 01)

POST /api/machine-identity/v1/correlate with JSON body { "snapshotId": "<id>", "scanId": "<api-risk-scan-id>" }. Same auth as manifest (session cookie or upload key). The scan must exist on this app instance (API Risk store). Response includes finding paths, paths not covered by any manifest path_prefix, and identities with no matching finding path.

What we never store

• Raw API keys, tokens, or passwords in manifests or uploads.
• Full secret values — use fingerprints or hashes only when you need a stable identifier.
• Replacing your vault — this product is inventory and governance on the API + agent plane, not secret storage.

Pricing preview (EUR / month)

Aligned with published Labs anchors — same family as API Risk and Agent Security. Shipping when the product tier is live; not a checkout yet on this page.

Enterprise: custom — stay within comparable Agent Security enterprise quotes. See also Plans.