I’ve been experimenting with AI agents lately, and one problem kept coming up: they either get a raw API key with full access or nothing at all. That’s risky, especially if you’re testing agents that can make arbitrary calls.

So I hacked together a tiny package called Kage Keys - https://github.com/kagehq/keys

It lets you wrap agent actions with scoped, short-lived tokens instead of handing over your real API keys.

Example:

```js import { withAgentKey, getLogs } from "@kagehq/keys";

async function main() { await withAgentKey("github:repos.read", async () => { console.log("Agent is calling GitHub API..."); });

  console.log(await getLogs());

}

main();

Right now it:

- Generates scoped, expiring tokens (default 10s)

- Logs every action to kage-keys.log

- Works as a drop-in wrapper for async functions

It’s just an MVP (tokens are fake UUIDs), but I want to see if developers find this helpful before building the production version with real crypto + proxy enforcement.

Repo: https://github.com/kagehq/keys

npm: https://www.npmjs.com/package/@kagehq/keys

Would love feedback, especially from anyone running agents in production or dealing with API key sprawl.