Credential Injection
Credentials are encrypted at rest (AES-256-GCM) and injected transparently into HTTP requests. The agent never sees the real values.
Simple mode
Section titled “Simple mode”One credential per domain — matched by the request’s Host header:
credentials: [ { domain: "api.openai.com", header: "Authorization", value: "Bearer sk-proj-...", },]When the agent calls api.openai.com, Sylo sets Authorization: Bearer sk-proj-... on the request.
Named mode
Section titled “Named mode”Multiple credentials per domain using name and envVar:
credentials: [ { name: "github-read", envVar: "GITHUB_READ", domain: "api.github.com", header: "Authorization", value: "Bearer ghp_read_...", }, { name: "github-write", envVar: "GITHUB_WRITE", domain: "api.github.com", header: "Authorization", value: "Bearer ghp_write_...", },]The SDK’s sandboxEnv() maps envVar to sylo_cred:name:
GITHUB_READ=sylo_cred:github-readGITHUB_WRITE=sylo_cred:github-writeWhen the agent sets Authorization: sylo_cred:github-read, Sylo replaces it with the real token.
AWS SigV4 credentials
Section titled “AWS SigV4 credentials”For AWS services (S3, R2, DynamoDB), Sylo computes SigV4 signatures per-request:
credentials: [ { name: "s3", domain: "*.s3.amazonaws.com", type: "aws-sigv4", value: { accessKeyId: "AKIA...", secretAccessKey: "...", region: "us-east-1", service: "s3", }, },]The agent sends unsigned requests. Sylo computes the signature from the stored credentials and sets Authorization, x-amz-date, and x-amz-content-sha256 headers.
MITM domains
Section titled “MITM domains”Credentials are only injected for domains listed in the mitm array. This controls which connections Sylo intercepts TLS for:
mitm: ["api.openai.com", "api.github.com"],passthrough: ["your-own-api.com"],- MITM domains: TLS intercepted, credentials injected, PII scanned
- Passthrough domains: TCP forwarded, no interception
- Unlisted domains: blocked (if default policy is deny) or passed through