Prompt and chat exposure
Secrets leak into transcript history, agent memory, and prompt injection surfaces before any runtime control can help.
BlindPass unifies Human → Agent handoff, Agent → Agent exchange, and hosted workspace control with HPKE encryption, in-memory-only handling, and single-use retrieval that keeps secrets out of prompts, logs, and middleware.
Operators confirm the handoff while the secret stays sealed until the final retrieval step.
Requester, fulfiller, and SPS coordinate a single-use transfer without exposing plaintext to the runtime graph.
Conceptual hosted UI, audit visibility, and deployment options are part of the public product story now.
Most AI workflows still rely on chat copy-paste, plaintext middleware, and static credentials that outlive the task they were created for.
Secrets leak into transcript history, agent memory, and prompt injection surfaces before any runtime control can help.
Credentials get duplicated across `.env` files, CI variables, screenshots, and internal notes with no bounded handoff model.
Gateways, proxies, and coordination services often see plaintext because delivery was never designed as a zero-knowledge path.
Once a token exists, it tends to stick around. Teams need retrieval that expires, audits, and self-destructs by default.
BlindPass now tells a full product story: operator handoff, autonomous exchange, and hosted workspace control.
Securely hand off API keys and credentials from human operators to agents without exposing secrets to the agent’s conversation layer.
Browser encryption · single-use retrievalEnable autonomous handoff between requester and fulfiller agents with policy checks, approvals, and one-time retrieval.
Trust rings · approval pathsManage agents, members, audit events, quotas, and billing from a shared control plane designed for platform operators.
Dashboard · policy · billing$ blindpass provision --target "research-agent-01" --scope "read-only"
# generating proof-backed handoff
→ request mode: human_handoff
→ policy ring: ops / low-risk
→ status: pending_retrieval
Human handoff and autonomous exchange share the same core guarantees, but their operational flows are different.
An agent requests a secret and receives a short-lived provisioning session tied to a one-time retrieval window.
The gateway routes an out-of-band URL and confirmation step to the operator instead of exposing the secret path to the LLM.
The operator enters the value in the browser UI, where HPKE seals the payload before it leaves the client.
The agent retrieves ciphertext once, decrypts in memory, and the handoff is purged immediately after success.
Capabilities and exchange IDs are short-lived, so permission scope collapses with the request lifecycle.
SPS coordinates the delivery, but the secret path still resolves to end-to-end encrypted, single-use retrieval.
The hosted story stays in one consolidated section so the page sells the platform without turning into a stack of disconnected screenshots.
Hosted teams need more than crypto primitives. They need visibility into who can provision, which secrets are active, what approvals are pending, and where billing or quota pressure is emerging.
Entropy score 99.2%. Trust ring drift below threshold.
4 reviewers online. 2 operators awaiting provisioning tasks.
The policy surface is a product differentiator: secret registry awareness, tenant-scoped trust rings, allow or deny decisions, and explicit approval states are visible to operators instead of buried in static config.
Requester: trusted service ring. Approval required only for high-risk registries.
Cross-tenant or replay-shaped retrieval attempts are rejected and logged.
BlindPass serves both deployment preferences. The landing page needs to show that the open source core remains real while the hosted control plane adds management, onboarding, and operational convenience.
services:
blindpass-sps:
image: ghcr.io/atas-tech/blindpass-sps:latest
environment:
- TRUST_RING=ops
- FLOW_MODE=STRICT
ports:
- "3100:3100"
$ docker compose up -d
✓ sps listening on http://localhost:3100
BlindPass should sound like a real security product, not a hand-wavy concept page. Each layer maps to a specific leakage or impersonation risk.
Per-request encryption keys reduce forward exposure.
Secrets are sealed before the payload leaves the browser.
The coordinator handles ciphertext and retrieval state, not plaintext values.
Replay attempts fail once the session is consumed or expires.
Operators verify the request before entering the value.
Prompts and model context never receive the secret or approval URL.
Unexpected or malicious URLs can be redacted before the agent sees them.
JWT providers are the default path; stronger workload identity can plug in when needed.
Secrets avoid disk persistence and are cleared after use.
Approvals, denials, and handoff events remain reviewable after execution.
Optional hardening for operators who need stronger runtime isolation.
Hosted workspace pricing should be easy to understand, while advanced machine-payment paths like x402 stay clearly separate.
Forever
per workspace / month
`x402` supports advanced per-request machine payment flows. It is separate from recurring hosted workspace pricing and should be treated as an optional capability, not the default plan model.
Pricing answers plan questions. This grid answers scope questions.
| Feature | Open Source Core | Hosted Platform |
|---|---|---|
| Deploy yourself | Yes | No |
| Browser encryption | Yes | Yes |
| Agent-to-agent exchange | Yes | Yes |
| Dashboard UX | Basic | Advanced |
| Billing and quotas | Self-managed | Fully managed |
| Hosted onboarding | No | Yes |
Open source users can read the docs or self-host. Hosted buyers can go straight to the product path.
# start local blindpass services
$ npm install
$ npx blindpass serve
✓ SPS server ready on http://localhost:3100
✓ Browser UI ready for one-time provisioning
✓ Agent secret delivery waiting for retrieval