onecli
OneCLI is an open-source gateway and dashboard that stores encrypted credentials for AI agents and transparently injects the right secrets into outbound HTTP requests made by those agents, so the agents never directly handle the real API keys. It uses a Rust HTTP gateway for request interception and a web dashboard for managing agents, secrets, and permissions; optionally it can integrate with external vaults (e.g., Bitwarden) for on-demand credential injection.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
README indicates encrypted secret storage using AES-256-GCM with decryption at request time, and per-agent access tokens with scoped permissions. However, operational details of TLS enforcement, certificate handling for MITM interception, logging/redaction, key management, and rate limiting are not documented in the provided README, so residual security risk exists for misconfiguration.
⚡ Reliability
Best When
You can run OneCLI as a trusted local/controlled network component (or self-hosted service) alongside your agents, and you need transparent HTTP credential injection with encryption at rest and per-agent access control.
Avoid When
You cannot guarantee secure network placement, TLS configuration, and operational controls for a component that performs MITM-style HTTPS interception; or you need well-defined, documented REST/OpenAPI contracts for agent-to-service management.
Use Cases
- • Run multiple AI agents that call third-party APIs without embedding raw API keys in each agent
- • Centralize credential management and rotate secrets in one place
- • Enforce per-agent access via scoped tokens and host/path-based routing
- • Use a local gateway to safely test agent integrations with real vendor APIs
- • Optional vault-on-demand integration to avoid storing certain secrets on the OneCLI server
Not For
- • A public, internet-facing secret vault without strong operational hardening and threat modeling
- • Use cases that require standards-based OAuth client registration to be managed automatically for many downstream services
- • Workloads needing comprehensive API/SDK ergonomics beyond HTTP proxying (no evidence of first-class SDKs)
Interface
Authentication
Agents authenticate to the gateway using access tokens carried in a Proxy-Authorization header; the README also mentions per-agent scoped permissions and Google OAuth for teams, plus a single-user local mode without login.
Pricing
No pricing information provided; appears to be open-source/self-hosted.
Agent Metadata
Known Gotchas
- ⚠ Gateway MITM interception for HTTPS may require careful TLS trust/cert handling; agents may fail to make outbound calls if the interception/certificate setup is not correct.
- ⚠ Host/path pattern matching determines which secrets are injected; misconfigured patterns can cause missing credentials or wrong credential injection.
- ⚠ Single-user (no login) mode is suitable for local development only; using it in less-trusted environments increases risk.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for onecli.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.