Drop deny.sh into your agent framework
in 30 lines.
Working reference patterns for eight agent frameworks (Vercel AI SDK, LangChain, the OpenAI Responses API, CrewAI, LlamaIndex, AutoGen, Pydantic AI, and n8n) plus a native path for runtimes that speak the Model Context Protocol directly. Each page shows a working agent loop wired against a deny.sh vault entry, with the credential resolved inside the tool boundary and never crossing into the model's context window. Copy, paste, swap in your tenant key, ship.
The pattern is always the same.
Three lines do the work:
- Register a tool with the framework's tool API (
tool(), the Responses APIfunctiontool schema, etc). - Inside the tool's execute function, call
vaultGet()(TypeScript) orvault_get()(Python) against your tenant key to resolve the credential. - Make the privileged HTTPS call to the destination API inside the tool boundary. Return only the API result to the model, never the credential.
The model sees the tool call (intent), the tool result (data), and nothing in between. Prompt-injection asking the model to dump the credential gets "I don't have access to that" because the credential genuinely never entered the context window.
Pick your framework.
Nine reference paths. Eight frameworks plus a native protocol. Each one is a working agent loop you can fork.
Vercel AI SDK
Drop-in for generateText + tool() in any Next.js / Node project. ~30 LOC against ai + @ai-sdk/openai.
LangChain
LangChain v1 @tool / tool() wrapping a deny.sh vault entry. Works with create_agent / createAgent in Python or TypeScript.
OpenAI Responses API
Function-calling against the Responses API (the post-Assistants migration target, GA in 2026). Resolves the credential between function_call and function_call_output; never round-trips through the model.
CrewAI
Role-based multi-agent crews. The @tool decorator (or a BaseTool subclass) resolves the credential inside _run; the crew never sees the key.
LlamaIndex
FunctionTool.from_defaults wrapped in a FunctionAgent workflow. Credential resolved inside the function; narrowed DTO out. Python or TypeScript.
AutoGen
Microsoft AutoGen v0.4+ AssistantAgent with plain async tool functions. The deniable resolve happens inside the tool, off the model's wire.
Pydantic AI
Type-safe @agent.tool with dependency injection. Tenant context rides in RunContext.deps, so the per-tenant vault password never touches the prompt.
n8n
AI Agent node calling a deny-backed resolver (Code node or HTTP Request tool). The real key stays off the n8n canvas entirely, not in its credential store.
Workflow / JS native path · no wrapperModel Context Protocol
Already speak MCP? Skip the framework code entirely. Claude Desktop, OpenClaw, Cursor, Cline, Continue, Zed point at a deny.sh MCP server and get 11 tools, two modes, one config block. No SDK install, no agent loop to write.
JSON configWhat you get from any of them.
- Credential never enters the LLM context. The model can ask for the tool result; it cannot extract the key.
- Per-tenant deniability. Each tenant's vault entry encrypts under its own keys. Cross-tenant leakage is cryptographic, not policy.
- 365-day RFC 3161 audit chain. Every vault hit is recorded against the tenant key. Regulator-grade evidence trail out of the box.
- Decoy tripwires. Register the SHA-256 of any decoy controlData. Get paged on Slack / PagerDuty / Datadog within ~5 seconds of a prompt-injection that opens the decoy. /dashboard/decoy-alerts.
- Local fallback. Same four tools (
deny_local_*) work with no network and no auth, so your agents keep working when our servers don't.
Working examples on GitHub.
The full runnable repo for each framework lives at github.com/deny-sh-crypto/deny-integrations. Clone it, fill in your DENY_API_KEY + VAULT_PW, and the agents run end-to-end. CI typechecks every example on every push so the deps stay current.