What is the difference between Till and HashiCorp Vault?

HashiCorp Vault is a general-purpose secrets management tool that stores and rotates credentials centrally. Till is purpose-built for AI agents - it creates disposable, scoped API keys with hard limits on usage. Vault stores your keys; Till embeds encrypted keys in tokens so nothing is stored centrally.

When should I use Till instead of AWS Secrets Manager?

Use Till when you need to give AI agents temporary, limited access to AI provider APIs (OpenAI, Anthropic, etc.) with hard spend or usage caps. Use AWS Secrets Manager for general secrets storage and rotation within AWS infrastructure.

Till vs Vault vs AWS Secrets Manager

Choosing the right tool for AI agent API key management. Here's how Till compares to traditional secrets management solutions.

Feature	Till Purpose-built for AI	HashiCorp Vault General secrets	AWS Secrets Manager AWS-native
Primary use case	AI agent credentials	Enterprise secrets	AWS application secrets
Activation limits (call counting)	Yes	No	No
Token budget limits	Yes	No	No
Dollar spend limits	Yes (80+ models)	No	No
Zero key storage	Yes	Keys stored centrally	Keys stored centrally
AI provider support	12 providers built-in	Manual config	Manual config
Disposable credentials	Core feature	Via dynamic secrets	Via rotation
Setup complexity	Minutes	Days to weeks	Hours
Self-hosted option	Yes	Yes	AWS only
Free tier	3 keys, 1K activations	Open source	$0.40/secret/month
Usage tracking dashboard	Built-in	Via plugins	Via CloudWatch

When to use each solution

Till

Best for teams building with AI agents that need bounded, disposable credentials with usage tracking.

Sandboxing agent workloads
Contractor/freelancer API access
Demo environments with limits
Per-project budget allocation
Preventing runaway AI spend

HashiCorp Vault

Best for enterprises needing comprehensive secrets management across diverse infrastructure.

Database credential rotation
PKI certificate management
SSH key management
Encryption as a service
Multi-cloud secrets

AWS Secrets Manager

Best for AWS-native applications needing integrated secrets with automatic rotation.

RDS database credentials
AWS service integrations
Lambda function secrets
ECS/EKS deployments
CloudFormation templates

The key difference

Vault and AWS Secrets Manager are secrets storage solutions — they hold your credentials securely and control who can access them.

Till is a credential proxy — it creates bounded, disposable keys that enforce limits at the API call level. Your upstream keys are never stored; they're encrypted and embedded in the scoped token itself.

For AI agents that need temporary, limited API access with spend controls, Till is purpose-built. For general enterprise secrets management, Vault or AWS Secrets Manager may be more appropriate.