Agent and Proxy

Summary: Two client-side daemons that handle auth, caching, and templating on behalf of applications so the app code doesn’t have to deal with OpenBao at all.

Sources: raw/docs/agent-and-proxy/index.md, raw/docs/agent-and-proxy/agent/*, raw/docs/agent-and-proxy/proxy/*, raw/docs/agent-and-proxy/autoauth/*.

Last updated: 2026-05-19

---

The problem

Apps that talk to OpenBao directly need to: authenticate, store the token, renew it, fetch secrets, refresh leases, re-auth on failure. That’s a lot of OpenBao-specific code for every app (source: raw/docs/agent-and-proxy/index.md).

OpenBao Agent

A sidecar/daemon that wraps a target app. Features (source: raw/docs/agent-and-proxy/agent/*):

• Auto-auth — log in via one of the configured methods (approle, cert, jwt, kerberos, kubernetes, token_file — see raw/docs/agent-and-proxy/autoauth/methods/) and write the resulting token to a sink (file, etc.) so the app can pick it up.
• Template — render secret values into config files using Go templates; rewrite on rotation.
• Caching — local lease/token cache; optional persistent cache on disk or in Kubernetes secrets (raw/docs/agent-and-proxy/agent/caching/).
• API proxy — listen locally and forward OpenBao API calls, attaching the token automatically.
• Process supervisor — run the target app as a child and propagate signals (raw/docs/agent-and-proxy/agent/process-supervisor.md).
• Windows service — run as a Windows service (raw/docs/agent-and-proxy/agent/winsvc.md).
• Generate-config — bootstrap an agent config from sane defaults (raw/docs/agent-and-proxy/agent/generate-config/).

OpenBao Proxy

A subset of Agent: API proxy + caching + auto-auth, no templating or process supervision (source: raw/docs/agent-and-proxy/proxy/). Use when you want a sidecar that just proxies and lets the app speak the OpenBao API.

Auto-auth methods

Built in: AppRole, Cert (TLS client cert), JWT (incl. OIDC), Kerberos, Kubernetes (pod SA token), Token File (source: raw/docs/agent-and-proxy/autoauth/methods/).

Sinks: file (raw/docs/agent-and-proxy/autoauth/sinks/file.md); other sinks documented under the same tree.

When to use what

• App can read a file → use Agent’s template / sink.
• App can speak the OpenBao API → use Proxy (or Agent’s api_proxy mode).
• Running in Kubernetes → consider the Agent Injector instead, which orchestrates Agent sidecars for you.

CLI

bao agent (raw/docs/commands/agent.md) and bao proxy (raw/docs/commands/proxy.md) start the daemons with a config file.

Related pages

• auth — the methods Agent’s auto-auth wraps
• leases — Agent’s cache is lease-aware
• kubernetes-platform — Agent Injector is the K8s-native form factor
• commands-cli — bao agent, bao proxy