Open Source The Shield Setup Why Heimdall? View GitHub

Prevent AI agents from leaking secrets by design

Runtime protection for AI agents, copilots, and LLM workflows that prevents secret exposure across prompts, logs, memory, and tool calls.

WITHOUT HEIMDALL

The agent sends the real secret in plain sight.

curl https://api.openai.com/v1/models \
  -H "Authorization: Bearer sk-01-1234456"
WITH HEIMDALL

The agent only receives a safe placeholder token.

curl https://api.openai.com/v1/models \
  -H "Authorization: Bearer __OPENAI_API_KEY__"
See How It Works

Agents never touch a real secret. The real secret stays server-side.

Developer Machine Placeholder Tokens Only

Agents use __OPENAI_API_KEY__ and __STRIPE_KEY__, not live credentials.

Proxy Layer Allowed Domains Enforced

Heimdall resolves placeholders only for approved destinations and blocks everything else.

Deployment Model Open Source, MIT-Licensed, Self-Host

Run the Heimdall local agent and Heimdall proxy server in your own environment.

Leak Surface

AI secret exposure happens inside the workflow

Traditional secret hygiene is not enough once an agent can inspect prompts, tools, network traffic, and execution state on a developer machine.

Copilots expose API keys

AI coding tools inherit local context, shell output, configs, and environment variables that often include credentials.

Prompts and logs leak secrets

Once a real key enters a prompt, transcript, trace, or tool log, the exposure has already happened.

LLM agents bypass DLP timing

Most scanners detect leaks after a secret appears somewhere sensitive, not before the agent transmits it.

Secrets surface in memory and tool calls

Agents can leak credentials through traces, cached context, HTTP headers, debug dumps, and downstream tools.

__OPENAI_API_KEY__ proxy-layer-resolve
POST attacker.example BLOCKED
allowedDomains: api.openai.com ENFORCED
Why Heimdall

Traditional security tools were not built for AI-native systems

Protection before exposure

Scanners and vaults help elsewhere, but they still allow agents to touch the live secret. Heimdall removes that exposure path up front.

Placeholder token workflow

Use __OPENAI_API_KEY__ and __STRIPE_KEY__ in the workflow. Agents never touch a real secret.

Allowed domains at the proxy layer

Each placeholder is restricted to approved destinations. If an agent tries to exfiltrate it, the request is denied.

Drop-in, observable, developer-friendly

No generic enterprise wrapper. You get a local agent, a proxy server, and an optional admin panel with runtime visibility.

Open By Default

Open source security for agentic workflows

Heimdall is MIT-licensed, public on GitHub, and designed to self-host. Start with the repo, run the proxy yourself, and keep the trust boundary inside your own environment.

MIT-licensed

Use, modify, fork, and self-host Heimdall without licensing friction or black-box dependencies.

Technical quickstart

Clone the repo, configure the proxy server, connect the Heimdall local agent, and verify placeholder-based secret injection.

Optional admin panel

Manage clients, placeholder mappings, stored secrets, and audit logs through the built-in panel when you want a control surface.

Read Setup Guide View GitHub
Early Access

Join the launch list before Heimdall opens up

The open source foundation is already public. If you want product updates and early access as the launch comes together, leave your email and we'll keep it simple.

Minimal updates. No noise. Just early access and product progress.