The secure gateway connecting AI agents to the enterprise systems they need to do real work.
Agents discover what they're allowed to access. Warden brokers every connection. Operators get one control plane for identity, policy, and audit — across every cloud, code-host, observability stack, database, and SaaS the agent reaches.
Agents are useful only when they reach real systems: cloud accounts, code repositories, observability stacks, databases, ITSM, secrets backends. Today, pointing an agent at production means handing it over-scoped, long-lived credentials, with no per-request policy and no identity-tied audit. Each new system is another credential in the agent's environment, governed by nothing in the request path.
The control gap, not the credential, is the headline. MCP servers make it acute — every server wraps one upstream API and holds one credential in process env, so an agent with a dozen tools has a dozen static secrets scattered across a dozen processes, none of them rotating, none of them governed.
Warden closes the gap by sitting in the path: the agent identifies itself, Warden decides what it can reach, and Warden brokers the connection.
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ │ 1. Discover │ │ │ │
│ │ ─────────────────▶ │ │ │ AWS, Azure │
│ AI Agent │ what can I do? │ │ │ GCP, GitHub │
│ MCP Server │ │ Warden │ real credentials │ Anthropic │
│ │ 2. Connect │ │ ──────────────────▶ │ OpenAI, RDS │
│ │ ─────────────────▶ │ │ │ Slack, K8s │
│ │ identity only │ │ │ ... │
└──────────────┘ └──────────────┘ └──────────────┘
• Identity ✓
• Policy ✓
• Audit ✓
Discover. The agent presents its identity — a JWT or TLS client certificate — and runs three introspection calls against Warden:
warden role list— which roles is this identity permitted to assume in this namespace?warden provider list— which upstream systems are mounted here?warden skill read <type>— for the chosen system, fetch the agent-facing recipe (env vars, endpoint URL, role-selection idiom).
Each response is human-readable JSON or markdown. The agent matches the task to a role and provider by reading operator-set descriptions — no config files, no role names distributed out of band, no SDK to rebuild when a new provider is mounted.
Connect. The agent picks a role and points at Warden as if it were the upstream. Warden authenticates the identity, applies the role's policy at request time, and attaches the upstream credential before forwarding — or vends a scoped grant directly, such as a database auth token or a pre-signed URL. The credential belongs to Warden, never to the agent — and is ephemeral wherever the upstream supports it.
What an enterprise gets from putting Warden in the path:
- Discovery — identity-scoped introspection. Agents learn which systems and roles are open to them; nothing has to be pre-loaded into the agent's environment.
- Self-describing capabilities — every provider type ships a runtime recipe (an agent skill) that the cluster serves alongside the gateway. The catalog reflects what's currently mounted; adding a provider makes it instantly discoverable, removing one makes it instantly gone. No agent rebuild, no SDK update.
- Fine-grained access policy — per-action capabilities and parameter filters, evaluated at request time against caller IP, time of day, and day of week.
- Identity-bound access — JWT (including SPIFFE JWT-SVID) or TLS client certificate (including SPIFFE X.509-SVID); the same identity reaches every upstream the policy permits — no per-system credential sprawl, no API keys handed to agents, nothing to rotate per integration.
- Audit — every request tied to the original identity, the role used, and the upstream called.
- Compromise-resilient — a prompt-injected, jailbroken, or otherwise compromised agent has nothing upstream to exfiltrate. The blast radius is bounded by Warden's policy at request time, not by what happens to be in the agent's memory or chat history.
33 systems across LLMs, cloud, code-hosting, observability, ITSM, Kubernetes, secrets, and databases. Follow any link below to configure your first endpoint, or see docs/providers.md for the full list.
| Category | Providers | Warden does |
|---|---|---|
| LLM APIs | Anthropic, OpenAI, Mistral, Cohere | Injects API key |
| Cloud infrastructure | AWS, Azure, GCP, Alicloud, IBM Cloud, OVH, Scaleway, Cloudflare | Temporary credentials / Bearer tokens |
| Code hosting & CI/CD | GitHub, GitLab, Atlassian, Ansible Tower, Terraform Enterprise | Injects App token, PAT, or Bearer token |
| Observability | Datadog, Dynatrace, Elastic, Grafana, Honeycomb, New Relic, Prometheus, Sentry, Splunk | Injects API key / proxies metrics |
| Incident & ITSM | PagerDuty, ServiceNow, Slack | Injects Bearer token |
| Kubernetes | Kubernetes | Injects service account token |
| Secrets backend | HashiCorp Vault / OpenBao | Mints short-lived tokens |
| Databases | AWS RDS / Aurora, AWS Redshift | Issues IAM database auth token |
SRE agents — incident-response agents reaching Prometheus, Grafana, Kubernetes, and PagerDuty under one policy layer. Warden scopes each call to the agent's identity — query dashboards but not delete them, restart a pod but not modify IAM. Every action during an incident is tied to the agent's identity in the audit log.
Agentic coding — code agents that push to GitHub, deploy to AWS, and read from artifact stores all through one identity. Warden enforces which repos they push to, which buckets they read, and logs every action.
RAG pipelines — retrieval agents reaching production databases and object stores under per-request grants. Warden vends a database auth token or pre-signed URL scoped to the exact query or object the agent needs.
Multi-model orchestration — an agent reaching Anthropic for reasoning, OpenAI for embeddings, and Mistral for classification through one identity, one policy layer, and one audit log across all three.
MCP servers — point the MCP server at Warden instead of the upstream API. The MCP server authenticates with its identity, Warden brokers the connection, and the same gateway covers every tool the server exposes — replacing the per-tool-credential-in-env model with one identity and one policy surface.
Autonomous workflows — long-running agents that reach systems over hours or days with time-scoped access. Warden issues credentials per request, so no token outlives the work it was minted for.
Warden also secures non-agent workloads — CI/CD pipelines, microservices, developer machines — with the same identity-based model.
Warden supports multiple methods for verifying caller identity.
| Method | Identity Source | How the agent presents the credential to its SDK |
|---|---|---|
| JWT | Signed JWT token or SPIFFE JWT-SVID | The same JWT goes in whichever credential slot the upstream SDK natively expects (AWS_SECRET_ACCESS_KEY, OPENAI_API_KEY, X-Vault-Token, Authorization: Bearer, …). Warden detects it, validates the identity, and swaps in the real upstream credential. Existing SDK code keeps working — only the base URL changes. |
| TLS Certificate | X.509 client certificate or SPIFFE X.509-SVID | Identity is proven at the TLS handshake (or forwarded by a TLS-terminating proxy via X-SSL-Client-Cert). The SDK's credential slot is filled with any placeholder value — Warden ignores it once cert auth has proven the identity. Role selection follows the same per-provider conventions as JWT mode. |
This is the design property that makes Warden a drop-in layer rather than a rewrite tax: a pre-existing boto3, openai-python, Vault CLI, or curl-against-GitHub script becomes Warden-mediated by setting the base URL to Warden and putting the JWT where the secret used to go. It also separates Warden from MCP (which adds a protocol the agent host must speak) and from dedicated auth proxies (which typically require client libraries).
A walk-through of the discover-then-connect model end to end:
- A Goose AI agent audits OpenBao ACL policies for hygiene — dead-mount references, orphan bindings, duplicates, least-privilege smells.
- Three egress legs: OpenBao (read), an Anthropic-compatible LLM (reason), Slack (deliver as a channel canvas).
- One Forgejo OIDC JWT covers all three legs, with three independently scoped Warden policies governing what each leg may do.
- The agent holds zero credentials.
See docs/tutorials/vault-policy-hygiene/README.md for the full walk-through.
For the system-side reference describing how an agent uses Warden end-to-end — the runtime contract, the five-step discovery loop, error handling, caching strategy — see docs/agent-flow.md.
See docs/architecture.md for Warden's design decisions, high availability model, and deployment configuration.
We welcome contributions! See the contributing guide for setup instructions, build commands, testing conventions, and submission guidelines.