logo
Infisical
Sign Up
OpenRouter Logo

How OpenRouter Scopes Secrets for Developers, AI Agents, and Production at Scale

How OpenRouter uses Infisical to centralize secrets, scope access for AI agents, and save 50+ engineering hours per month on operations.

OpenRouter·North America·50-100 employees
With Infisical, you get the security benefit along with improved developer experience, it becomes a no-brainer.Shashank Goyal, Founding Engineer at OpenRouter
About OpenRouter
Started in early 2023 as the first LLM marketplace, OpenRouter has grown to become the largest and most popular AI gateway for developers. We eliminate vendor lock-in while offering better prices, higher uptime, and enterprise-grade reliability.
The Challenge: Secrets Scattered Across a Fast-Moving AI Infrastructure
OpenRouter started on Vercel, with secrets in one place. But as the platform grew across GCP, Cloudflare, and other providers, secrets ended up everywhere, managed by hand.
With 70+ model providers on the platform and one to two new ones added every week, each bringing new API keys that needed to reach specific services, the manual work was constant.
Shashank Goyal, Founding Engineer at OpenRouter: "It was a very manual process to add secrets into each service. We had built a bunch of scripts to do it, because doing it manually doesn't scale."
What this looked like day to day:
  • Developer access relied on a mix of 1Password and ad hoc sharing that couldn't scale with the team.
  • Every new provider meant figuring out which services needed the key and which didn't, then updating each one individually.
  • No audit trail meant the team had no way of knowing when or why a secret changed.
The stakes were high. A leaked production credential would mean downtime and a direct violation of customer SLAs.
And a new challenge was emerging: AI agents. The team was adopting Cursor, Claude Code, Devin, and Codex, and each agent needed scoped access to secrets to run services end to end. There was no way to give agents the credentials they needed without also giving them access to things they shouldn't have.
The Solution: One System for Secrets, from Developers to AI Agents
OpenRouter needed a centralized secrets platform that could keep up with fast-moving infrastructure, give developers clean access without ad hoc sharing, and extend that same control to AI agents. Two engineers on the team had already used Infisical at previous companies, which gave the team confidence early on. As Shashank put it, “Infisical was very simple to integrate and get started with."
The rollout took about eight to ten weeks, migrated carefully service by service, starting with the lowest-risk workloads and building confidence before cutting over the main production service.
Infisical delivered:
  • Centralized secrets with dynamic folder sync to replace the patchwork of manual updates and custom scripts. One folder for all provider keys, dynamically imported into the services that need them.
  • Role-based access controls so standard engineers access dev secrets, admins control production credentials, and break-glass access is available when needed.
  • A third scope for AI agents. Session-scoped credentials let tools like Cursor, Claude Code, and Devin pull dev secrets directly from Infisical, without standing up a new environment for each agent.
  • Read-only production access for agent workloads like cron jobs pulling revenue data and trust and safety signals, scoped so agents only reach what they need.
  • Audit logging to track when and why secrets changed, closing a visibility gap the team had no way to address before.
The Results: Less Friction, Stronger Security, and a Real-World Test
With Infisical in place, the operational drag that came with managing secrets by hand largely disappeared. Adding a new provider key went from a multi-step, multi-service chore to a single update in one place.
Shashank put it simply: "For each key that we have to add, we save so much time because you just have to do it in one place."
Beyond the day-to-day efficiency gains, Infisical changed how OpenRouter thinks about scoping access for a growing roster of AI agents. Instead of treating every tool the same, the team now manages three distinct tiers of access, dev, agent, and production, with clear boundaries between them.
Tested at speed
With new providers joining the platform every week, the real test was whether Infisical could keep up. It did. Setting up a new service and ensuring it has all the secrets it needs now takes about 10 minutes, down from a multi-step manual process that touched multiple services and required custom scripts.
For developers, the difference is felt day to day. Promoting secrets between environments used to mean coordinating across people and services. Now, as Shashank described it, "You have to solve it one time in Infisical, and then you can just create a class of secrets that's easy to understand, and that can be shipped to any agent that you're trying to build."
From customer to product integration
OpenRouter also built a native Infisical integration into its own product. Because OpenRouter customers can bring their own provider keys (OpenAI, Anthropic, and others), key rotation is a regular part of maintaining their setup.
The integration connects OpenRouter to Infisical's secret rotation, so customers can automatically rotate their OpenRouter API keys without doing it manually. Since OpenRouter gives customers a single API key to access all their providers, rotating that one key in Infisical keeps the primary credential fresh without touching each provider individually.
Key outcomes:
  • Eliminated manual secrets operations. Adding new provider keys, previously a multi-service manual task done one to two times per week, now happens in one place with dynamic folder sync.
  • Established scoped access for AI agents. Session-scoped credentials and a dedicated agent tier give tools like Cursor, Claude Code, and Devin the access they need without overexposing production secrets.
  • Reduced onboarding friction for new developers. Centralized secrets replaced ad hoc sharing via 1Password and manual handoffs.
  • 50+ engineering hours saved per month on secrets operations across the engineering team. 
  • 21 services now syncing secrets through Infisical.
Infisical: Secrets Management for Teams That Ship Fast and Can't Afford to Get It Wrong
When your infrastructure changes every week and AI agents need access alongside your engineers, secrets management can't be a manual process. Infisical gives fast-moving teams a single system to centralize secrets, scope access for developers and agents, and respond to incidents before they become breaches.
Want to see how it would work in your environment? Get a demo of Infisical.
Starting with Infisical is simple, fast, and free.
Get Started Get a demo
Full Infisical Logo

PRODUCT

USE CASES

DEVELOPERS

RESOURCES

LEGAL

CONTACT

Copyright © 2026 Infisical Inc.