Docs / Core Concepts / Deposit Box

Deposit Box

One-time URLs for receiving secrets. No back-channel needed.

What it is

Your agent needs an API key from Stripe, a database password from your ops team, or a token from another agent. Instead of copying secrets through Slack or email, you generate a one-time URL. The sender POSTs the secret to it. It lands in your vault, encrypted.

Generate a deposit URL

atomic deposit-url --label stripe-key --expires 1h

Output:

https://scout.atomic.bond/d/dt_a1b2c3d4e5f6...

The URL contains a signed token with an expiry. It can only be used once. After use (or expiry), it’s gone.

How the sender uses it

curl -X POST https://scout.atomic.bond/d/dt_a1b2c3d4e5f6... \
  -d 'sk_live_abc123xyz'

The agent stores the value encrypted in its vault under the label stripe-key. The deposit token is invalidated immediately.

What gets logged

Every deposit is logged with a timestamp, the label, source IP, and user agent. No secrets in the log — just metadata.

atomic deposits

Security

  • Tokens are signed with the agent’s private key
  • Token hashes are stored, not the raw tokens
  • One-time use, enforced by cryptographic nonce
  • Time-limited (you set the expiry)
  • POST body is encrypted with AES-256-GCM before storage
Previous Agent Identity Next Vault