# Gazebo > Gazebo is IAM for AI agents. It gives every AI tool and agent a scoped identity with access only to the services it needs — with full audit logging and one-click revocation. Gazebo is designed for developers, engineering teams, and builders who run AI agents (Cursor, Claude Code, Replit, Lovable, Bolt, Windsurf, v0, custom agents) that need access to production services like Stripe, Cloudflare, Vercel, and Resend. Instead of sharing raw API keys with every agent, teams connect services to Gazebo once and issue each agent a scoped access profile — a named set of permissions that grants access to only the specific services that agent requires. ## The problem Gazebo solves Most AI agents today have unrestricted access to everything their API key allows. A Cursor agent given a Stripe key can read, write, or delete anything Stripe permits. There is no audit trail, no scope boundary, and no revocation path that doesn't require rotating the key for every other system using it. Gazebo applies the same principle as human IAM (Identity and Access Management) to AI agents: least privilege, full visibility, and instant revocation. ## How it works 1. Connect your services to Gazebo once (Stripe, Cloudflare, Vercel, Resend, GitHub, OpenAI, Anthropic, Linear, etc.) 2. Credentials are stored encrypted with AES-256-GCM — plaintext values are never returned to the browser 3. Create an access profile for each agent — select exactly which services it can reach 4. Each profile gets a unique MCP endpoint URL and bearer token 5. The agent calls `get_credential` via MCP to retrieve scoped credentials at runtime 6. Every credential access is logged: which agent, which service, which operation, timestamp 7. Revoke any agent's access instantly from the dashboard — no key rotation required ## Pages - [Home](https://gazebohq.com/): IAM for AI agents — overview and signup - [About](https://gazebohq.com/about): Why Gazebo exists and the principles behind it - [Pricing](https://gazebohq.com/pricing): Plan comparison - [Security](https://gazebohq.com/security): Encryption, data handling, security practices - [Agents](https://gazebohq.com/agents): Credential management for every AI agent - [Services](https://gazebohq.com/services): Service connections for AI agents (Stripe, GitHub, Vercel, and more) - [Integrations](https://gazebohq.com/integrations): Vault integrations (1Password, Doppler, Infisical) - [Writing](https://gazebohq.com/writing): Essays and guides on AI agent IAM and MCP security - [Workflows](https://gazebohq.com/workflows): Step-by-step setup guides for connecting services ## Agent Pages - [Cursor](https://gazebohq.com/agents/cursor): Scoped credentials for your Cursor agent - [Claude Code](https://gazebohq.com/agents/claude-code): IAM for your Claude Code agent - [Replit](https://gazebohq.com/agents/replit): Credential management for Replit AI agents - [Lovable](https://gazebohq.com/agents/lovable): Scoped service access for Lovable agents - [Bolt](https://gazebohq.com/agents/bolt): IAM for Bolt AI agent credential access - [Windsurf](https://gazebohq.com/agents/windsurf): Scoped MCP credentials for Windsurf agents - [v0](https://gazebohq.com/agents/v0): Credential management for v0 Vercel agent access - [Zapier](https://gazebohq.com/agents/zapier): Audit and scope Zapier agent credential access - [n8n](https://gazebohq.com/agents/n8n): Scoped credential management for n8n agents - [Gumloop](https://gazebohq.com/agents/gumloop): Gazebo credential management for Gumloop agents - [Codex](https://gazebohq.com/agents/codex): Scoped credentials for OpenAI Codex agents - [Engineering Teams](https://gazebohq.com/agents/teams): IAM for teams running multiple AI agents ## Service Pages - [Stripe](https://gazebohq.com/services/stripe): Scoped Stripe credentials for AI agents - [OpenAI](https://gazebohq.com/services/openai): Scoped OpenAI API key management for agents - [Anthropic](https://gazebohq.com/services/anthropic): Scoped Anthropic API key access for AI agents - [GitHub](https://gazebohq.com/services/github): Scoped GitHub token access for AI agents - [Cloudflare](https://gazebohq.com/services/cloudflare): Scoped Cloudflare credentials for AI agents - [Vercel](https://gazebohq.com/services/vercel): Scoped Vercel token management for AI agents - [Linear](https://gazebohq.com/services/linear): Scoped Linear API key access for AI agents - [Supabase](https://gazebohq.com/services/supabase): Scoped Supabase credentials for AI agents ## Vault Pages - [1Password](https://gazebohq.com/integrations/1password): Bridge 1Password credentials to your AI agents - [Doppler](https://gazebohq.com/integrations/doppler): Connect Doppler secrets to your AI agents via Gazebo - [Infisical](https://gazebohq.com/integrations/infisical): Bridge Infisical secrets to AI agents through Gazebo - [HashiCorp Vault](https://gazebohq.com/integrations/hashicorp-vault): Bridge HashiCorp Vault secrets to your AI agents - [AWS Secrets Manager](https://gazebohq.com/integrations/aws-secrets-manager): Bridge AWS Secrets Manager to your AI agents ## Writing - [Environment Variables and AI Agents: A Security Checklist](https://gazebohq.com/writing/environment-variables-ai-agents-security): Environment variables feel like a secure way to pass credentials to AI agents. They're not. Here's why the process environment is a shared bus, not a secrets store — and what to do instead. - [Secrets Management Best Practices When Your "Users" Are AI Agents](https://gazebohq.com/writing/secrets-management-best-practices-ai-agents): Six practices that change when the thing holding your credentials is an AI agent — scoped identities, access logs, revocation over rotation, and keeping keys out of prompts. - [IAM for AI Agents: How It Differs from Human IAM](https://gazebohq.com/writing/iam-for-ai-agents): Traditional IAM was built around login screens, MFA, and human judgment. Here's what changes when the actor is an AI agent — and what a proper agent identity model looks like. - [What Is Secrets Management for AI Agents?](https://gazebohq.com/writing/secrets-management-ai-agents): Secrets management was built for humans and services. Here's what changes when the thing holding your API keys is an autonomous AI agent. - [Why AI Agents Shouldn't Share API Keys](https://gazebohq.com/writing/agent-iam-101): The blast radius problem with shared credentials — and how to apply least privilege to every AI agent you run. - [MCP Credential Security: Keep Your Agents from Leaking Keys](https://gazebohq.com/writing/mcp-security): MCP agents retrieve credentials at runtime. If those credentials live in plaintext config, they're exposed in every prompt and log. Here's how to fix it. - [How to Set Up a Cursor Agent with Scoped Service Access](https://gazebohq.com/writing/cursor-agent-setup): Stop putting raw API keys in your .env. Connect Cursor to Gazebo and give your agent exactly the access it needs — nothing more. - [API Key Rotation vs. Revocation: Why Agents Need the Latter](https://gazebohq.com/writing/api-key-rotation-vs-revocation): Rotation replaces a key everywhere it's used. Revocation cuts one agent's access instantly without touching anything else. Here's why revocation is the right default for agents — and what you need in place to make it work. - [Least Privilege for AI Agents: A Practical Guide](https://gazebohq.com/writing/least-privilege-ai): What least privilege means when the actor is an AI agent — and how to implement it without rebuilding your credential management from scratch. ## Configuration Guides - [How to Set Up Stripe Webhooks](https://gazebohq.com/workflows/stripe/webhooks): Configure Stripe to send events to your server and verify them securely. - [How to Create a Stripe Product and Subscription Price](https://gazebohq.com/workflows/stripe/subscriptions): Set up a recurring billing product in Stripe ready for Checkout. - [How to Configure the Stripe Customer Portal](https://gazebohq.com/workflows/stripe/customer-portal): Let subscribers manage their own billing with Stripe's hosted portal. - [How to Test Stripe Webhooks Locally with the Stripe CLI](https://gazebohq.com/workflows/stripe/local-testing): Forward real Stripe events to localhost for local webhook development. - [How to Redirect www to Apex Domain in Cloudflare](https://gazebohq.com/workflows/cloudflare/www-redirect): Permanently redirect www traffic to your apex domain. - [How to Add a CNAME Record in Cloudflare](https://gazebohq.com/workflows/cloudflare/dns): Point a subdomain to your hosting provider via CNAME. - [How to Configure Cloudflare DNS for Email (SPF, DKIM, DMARC)](https://gazebohq.com/workflows/cloudflare/email-dns): Authenticate your email sending domain to prevent it landing in spam. - [How to Add Environment Variables to Vercel](https://gazebohq.com/workflows/vercel/environment-variables): Set environment variables across production, preview, and dev environments. - [How to Verify a Sending Domain in Resend](https://gazebohq.com/workflows/resend/domain-setup): Send emails from your own domain instead of a shared Resend domain. - [How to Set Up Google OAuth for Your Web App](https://gazebohq.com/workflows/google/oauth): Add 'Sign in with Google' to your app using OAuth 2.0. - [Zero to Production in One Afternoon](https://gazebohq.com/workflows/stack/zero-to-production): Configure DNS, email, and payments end-to-end in a single session.