Zero secrets in the VM
API keys never enter the sandbox. A per-VM TLS proxy injects credentials at the network layer. If compromised, there’s nothing to steal.
Introduction
paws (Secure infrastructure for AI agents) provides zero-trust credential injection for AI agents. Secrets never enter the sandbox — they’re injected at the network layer by a per-VM TLS MITM proxy.
curl -fsSL https://getpaws.dev/install.sh | bashWhy paws?
Section titled “Why paws?”Your agent should have nothing worth stealing. When an AI agent runs inside a paws sandbox:
- There are no API keys in environment variables, files, or memory
- The VM is ephemeral — destroyed when the session ends
- Network access is limited to allowlisted domains only
- Credentials are injected at the network layer by a per-VM TLS proxy
Sub-second boot
Firecracker memory snapshots restore VMs in under a second. Each session gets a fresh, ephemeral microVM.
Port exposure
Agents run fullstack apps, users access them via port exposure with per-port access control: SSO, PIN, or email whitelist.
Agent harness
Claude Code pre-installed. Provide a prompt and constraints, the workload is auto-generated. More frameworks coming.
How it works
Section titled “How it works”Agent in VM: curl https://api.anthropic.com/v1/messages | |-- VM resolves api.anthropic.com (real IP) |-- iptables DNAT rewrites destination --> per-VM proxy |-- Proxy terminates TLS, reads SNI | |-- Domain in allowlist? | |-- YES: inject x-api-key header, forward to real API | |-- NO: drop connection (TCP RST) | |-- Agent sees normal HTTPS response Never saw the API key. Not in env, not in memory, not on disk.Next steps
Section titled “Next steps”- Installation — get paws running on your server
- Quick Start — run your first sandboxed agent session
- Architecture — understand the control plane + worker model
- Security Model — deep dive into the zero-trust design