Your First Credential
Register an AI agent, create an access policy, and see the audit trail.
Register an Agent
Before your AI editor can access secrets, it needs an identity:
sanctum agent register cursor-agent \
--description "Cursor AI editor"β
Agent 'cursor-agent' registered
Identity: Ed25519 keypair generated
Public key: dwP8...k4Fm
Config written to: ~/.sanctum/agents/cursor-agent/Each agent gets a unique Ed25519 keypair. This keypair is used for challenge-response authentication β the agent proves its identity before accessing any secret.
Create an Access Policy
Grant the agent access to specific secrets:
sanctum policy add cursor-access \
--principal "agent:cursor-agent" \
--resources "openai/*,anthropic/*" \
--actions retrieve \
--max-ttl 300β
Policy 'cursor-access' created
Principal: agent:cursor-agent
Resources: openai/*, anthropic/*
Actions: retrieve
Max TTL: 300s (secrets expire after 5 minutes)This policy says: cursor-agent can retrieve any secret under openai/ or anthropic/, and each retrieved value expires after 5 minutes.
Note: Deny by default. Without a policy, agents canβt access anything. The
github/tokensecret is not accessible to cursor-agent because no policy grants it.
Check the Audit Log
Every operation is recorded in a tamper-evident HMAC-chained log:
sanctum audit log --last 5βββββββββββββββββββββββ¬ββββββββββββββββ¬βββββββββββββββββββ¬βββββββββββ¬βββββββββ
β Timestamp β Agent β Resource β Action β Result β
βββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββΌβββββββββββΌβββββββββ€
β 2026-02-10 23:20:01 β cursor-agent β openai/api_key β retrieve β β
OK β
βββββββββββββββββββββββ΄ββββββββββββββββ΄βββββββββββββββββββ΄βββββββββββ΄βββββββββ