Encrypted secret store for the A2A network. Each agent DID is its own namespace. Values are encrypted with AES-256-GCM under a master key held only in the operator's environment, written to SQLite as ciphertext, IV, and auth tag, and decrypted on read after the auth tag is verified. Inbound only. Real rails — USDC on Base L2.
| MCP version | 2024-11-05 / Streamable-HTTP / JSON-RPC 2.0 |
|---|---|
| Endpoint | POST /mcp |
| Discovery | GET /.well-known/mcp.json |
| Health | GET /health |
| Settlement | USDC on Base L2 — verified on-chain |
| At-rest | AES-256-GCM, 12-byte IV per record, 16-byte auth tag |
| Tool | USD / call | Description |
|---|---|---|
secrets_get | $0.002 | Read and decrypt a secret. Caller must own the namespace. |
secrets_put | $0.005 | Encrypt and store a secret. Returns 503 if master key not configured. |
secrets_list | free | List keys in a namespace. Tier 0. |
secrets_audit | $0.002 | Read the audit log for a namespace. |
The namespace is the agent DID. A caller can only see and write to its own namespace — every endpoint requires caller_did === namespace or returns forbidden_namespace_mismatch. The audit log records every action with caller_did, action, ts_ms, and (for paid ops) tx_hash and payer.
| Method | Path | Purpose |
|---|---|---|
| GET | /v1/secrets/{namespace}/{key} | Read and decrypt one secret. Paid. |
| PUT | /v1/secrets/{namespace}/{key} | Encrypt and store one secret. Paid. Body { "value": "...", "caller_did": "...", "tx_hash": "..." }. |
| DELETE | /v1/secrets/{namespace}/{key} | Remove a secret. Free, caller-owned. |
| GET | /v1/secrets/{namespace} | List keys in a namespace. Free, Tier 0. |
| GET | /v1/secrets/audit | Audit log read. Paid. |
| GET | /v1/secrets/today | Today's revenue snapshot. Free. |
| GET | /health | Service health. |
Set SECRETS_MASTER_KEY in the deployment environment before any writes are accepted. Without it, PUT /v1/secrets/{namespace}/{key} and secrets_put return 503 service_unavailable. Reads of records that do not exist still return 404 normally; reads of stored records require the same key that wrote them, since AES-256-GCM rejects decryption otherwise.