Comparison · Secrets manager
Vault stores secrets. Nomos avoids them.
Vault hands the agent a key. Nomos hands the agent a decision. If the call is allowed, Nomos performs it for the agent and the credential never leaves our process.
Vault gives your agent a secret. Nomos refuses to.
the receipts
Feature by feature.
No hedging.
Every row is a thing your agent will actually do. If we marked a cell wrong, tell us in Discussions — we’ll fix it the same week.
| feature | HashiCorp Vault | Nomos |
|---|---|---|
| Capability tokens (UCAN) | ||
| Per-call policy decision | ||
| Cryptographic audit chain | logs | |
| MCP-native server | ||
| Self-hostable | soon | |
| Open source | soon | |
| Step-up passkey approval | ||
| Schema-validated tool calls | ||
| Multi-agent UCAN delegation | ||
| Multi-tenant org RBAC |
honest questions
What people actually ask.
- Vault has dynamic secrets — isn't that enough?
- Dynamic secrets shrink the blast radius, but the secret still lands on the agent. Nomos never sends one. The agent receives the result of the call, not the credential used to make it.
- Can I keep using Vault?
- Yes. Vault is fine for human-operated services. Nomos is for agents — the ones you can't trust not to print their environment.
Try Nomos. It’s free.
Open beta. No credit card. Plug an agent in, see your first audited decision in minutes. Self-host on the waitlist when you’re ready.
more comparisons