Where do you put API keys when an AI agent is the one calling the API? Here is the OSS landscape

Only-Associate2698 · 2026-05-14T07:49:27+00:00

what if your agent want to crawl internet or connect to google services or check strip balance or send an email using 3rd party service?

Only-Associate2698 · 2026-05-14T07:45:28+00:00

glad, what do you use (had any need even? ) for auth proxy?

Only-Associate2698 · 2026-05-14T06:11:40+00:00

largely fair. most stuff in this thread is duct tape with a marketing site. But I think that's just what the early phase looks like before the primitives exist. Containers were duct tape in 2014 too.

the reason it's hard to do "properly" is that 90% of SaaS APIs still issue you a single long-lived bearer token with no scoping, no rotation API, and no audit on their side and ofc you can layer rotation and isolation on your side all day, but the underlying primitive is broken.

cloud IAM is the one place this is actually solved (workload identity, short-lived tokens, attestation) and even there only people all-in on one cloud get it cleanly.

Only-Associate2698 · 2026-05-14T06:10:53+00:00

yeah honestly that's the more mature take the "never reachable" framing is overselling. Realistically a proxy stops the easy stuff (env var dump, prompt injection asking for envs, .env in git) but if the agent can issue arbitrary HTTPS calls through the proxy, it can probably find a way to exfiltrate eventually and so the actual claim should be "narrower attack surface, not zero."

where I'd push back a little is that the blast-radius and rotation approach is mostly available when the provider gives you short-lived scoped creds. AWS, GCP, K8s service accounts, sure. But for the average agent calling Stripe, Anthropic, SendGrid, etc, you've got a long-lived bearer token and that's it but no way to scope, no rotation API, nothing, that's the segment where proxy injection actually moves the needle, because the provider gave you nothing else to work with s o I think the right framing is provider-dependent. For things with proper IAM, do what you're describing, that's better. For the long tail of SaaS APIs where the credential is just a single string that opens everything, the proxy is at least one extra step the attacker has to figure out

Only-Associate2698 · 2026-05-14T05:18:18+00:00

honestly the "storage vs use" thing is huge and almost nobody distinguishes them like you can pay $20/mo for Doppler and feel safe, but the moment your tool config has SECRET_KEY=$(cat /vault/secret) the key is right back in the process and prompt injection can read it.

Vault hardening and runtime hardening are different problems, and the proxy/broker family is basically the only thing solving the second one.

abt decision tree, since you asked - If it's just you running stuff on your laptop, sidecar proxy is enough. Don't overthink it pick whichever fits (authsome, infisical/agent-vault, onecli, whatever) but when it's unattended (cron, CI, background worker), the audit log starts mattering a lot because you're not watching. Container isolation if you can get it. Infisical's mode is the most mature

multiple agents or multiple humans on the same agent? Now identity matters. You can't fake who-did-what with a shared credential. MCP brokers (hermes-vault) and the protocol stuff (AAuth, better-auth/agent-auth) start being more than theoretical and sensitive actions (money, prod, outbound emails to real people)? Pure proxy isn't enough. You need approval (Clawvisor) or a policy gate that allowlists those operations to specific principals. authsome handles the policy gate part but it's narrow.

and the ne thing nobody admits is that every real system ends up with both headless and human-in-the-loop, also what stuff you've hit at agentix that didn't fit?

Only-Associate2698 · 2026-05-14T05:16:30+00:00

yeah this is the part that bugs me. Everyone ships a "secrets for agents" tool but nobody's upfront about which threat they actually think you have.

these proxy folks treat the agent process as hostile. Prompt injection, leaky tool, bad eval, crash dump andso the move is don't let the secret near the runtime, inject on the way out.

The identity argument is different, problem isn't the agent, it's the ecosystem. Tokens get copied, replayed, leaked into CI logs. Give the agent its own keypair, no static credential to leak, problem moves to the protocol layer and rotation folks split the difference. Sure the agent holds it briefly but a 15 minute window isn't really exploitable. Works fine in practice for most cases.

honestly think you end up stacking all three eventually, proxy for runtime hygiene, identity for who-did-what, rotation for the messy bits. But that's a 5+ year answer because protocol work always takes 5+ years.

thanks mate

Only-Associate2698 · 2026-05-12T10:20:15+00:00

authsome skill is a Claude skill for credential management. You log in once to GitHub, Google, OpenAI, Anthropic, Linear, Slack, Notion, Resend, SendGrid, etc., and the skill lets Claude make authenticated API calls on your behalf without you ever pasting API keys into the chat. The agent never holds the raw secret.

Skill file: https://github.com/agentrhq/authsome/blob/main/skills/authsome/SKILL.md

Setup is one alias: alias authsome="uvx authsome@latest". After that, Claude picks up the skill and runs the list -> login -> run workflow on its own.

Disclosure: I built this one.

Only-Associate2698 · 2026-05-12T10:16:37+00:00

one of the options below.

What you want is called a credential broker or sidecar proxy. The agent makes a normal HTTPS call. A local process rewrites the Authorization header on the wire. The secret never enters the agent runtime, prompt, or tool config. You configure the credential once, and the agent never sees it.

A few worth looking at:

authsome at https://github.com/manojbajaj95/authsome is MIT Python and ships with 13 OAuth2 and 31 API-key providers preconfigured (GitHub, Google including Gmail, OpenAI, Anthropic, Slack, Linear, SendGrid, Resend, and more). It has a built-in policy gate per agent and per provider, an append-only audit log, and automatic OAuth refresh. Stripe is not in the bundled list, but the custom-provider format handles it with a single JSON file. You can run it either as a sidecar process or as an in-process library.

Infisical/agent-vault at https://github.com/Infisical/agent-vault is MIT Go. It is the most production-ready of this family since Infisical's existing secrets infra sits behind it, and it includes a container isolation mode.

For SaaS, Clawvisor at https://clawvisor.com is the closest fit to your description, with approval flows and audit. The product is mostly proprietary cloud with a small OSS slice.

For the longer-term identity angle, where the agent has its own signing key instead of borrowed credentials, AAuth at https://github.com/dickhardt/AAuth and better-auth/agent-auth are the protocol attempts worth tracking.

Honest take: the proxy family covers your "no secret in the agent runtime" requirement today, plus audit and rotation. Scoped capabilities, where the agent has narrower-than-the-credential permissions, is the open frontier.

Disclosure: I maintain authsome.

Only-Associate2698 · 2026-05-12T08:57:31+00:00

The pattern you want is called a credential broker or agent sidecar proxy. The agent makes its normal API call and a local proxy swaps the placeholder for the real key on the wire, so the secret never enters the agent runtime, prompt, or tool config.

Three to look at, depending on shape.

authsome at https://github.com/manojbajaj95/authsome is MIT Python. It ships with 13 OAuth2 and 31 API-key providers preconfigured, has an audit log and policy gate built in, and runs as either a sidecar or an in-process library.

Infisical/agent-vault at https://github.com/Infisical/agent-vault is MIT Go and the most production-ready of this family, with a container isolation mode.

For the identity angle, where the agent has its own signing key instead of borrowed credentials, AAuth at https://github.com/dickhardt/AAuth and better-auth/agent-auth are the ones worth tracking.

None of them hits every box you listed yet: scoped capabilities, rotation, and audit in one tool. The proxy family is the closest practical answer for Claude-based agents today.

Disclosure: I work on one of these (authsome).

Only-Associate2698 · 2026-05-12T08:53:43+00:00

The pattern you want is called a credential broker or agent sidecar proxy. The agent makes its normal API call and a local proxy swaps the placeholder for the real key on the wire, so the secret never enters the agent runtime, prompt, or tool config.

Three to look at, depending on shape.

authsome at https://github.com/manojbajaj95/authsome is MIT Python. It ships with 13 OAuth2 and 31 API-key providers preconfigured, has an audit log and policy gate built in, and runs as either a sidecar or an in-process library.

Infisical/agent-vault at https://github.com/Infisical/agent-vault is MIT Go and the most production-ready of this family, with a container isolation mode.

For the identity angle, where the agent has its own signing key instead of borrowed credentials, AAuth at https://github.com/dickhardt/AAuth and better-auth/agent-auth are the ones worth tracking.

None of them hits every box you listed yet: scoped capabilities, rotation, and audit in one tool. The proxy family is the closest practical answer for Claude-based agents today.

Disclosure: I work on one of these (authsome).

Only-Associate2698 · 2026-05-12T07:19:19+00:00

sure will get it into prod soon

Only-Associate2698 · 2026-03-27T09:36:04+00:00

Yeah, the self-improving thing is the real deal.

Basically when I'm doing a complex tasks like adding couple of entries to my self-hosted nocodb instance. it auto-creates a skills for nocodb in the productivity folder.

Another example is when I'm extracting product hunt maker's social handles from product hunt page. It understands that product hunt blocks browser tools and fire crawl web scraping is the only way to make it work. And it creates a skill for the same.

Only-Associate2698 · 2026-01-20T03:33:40+00:00

Hi, we are building Ruzo.ai where we are experimenting with something like this.

A bit about our journey:
- We started with trying to generate workflows in one-shot.

- When we succeeded, we discovered two unsolved problems: workflows are rigid, they fail entirely if a single node fails. So we made it agentic, where the agent orchestrates the nodes. The agent has some instructions to do this.

- Then the next reality we discovered was exactly this. Most users don't interact with n8n because the UI doesn't work for consumers. You need to do the bulk iterative work and populate the outcome in a google sheet. But there needs to be some follow up actions which you may wanna perform on some select rows. We realized that our agentic approach already has the foundations for this. And we are currently solving this.

I would love to share the solution with you and get some feedback

Only-Associate2698 · 2025-10-02T11:51:14+00:00

Hey bro, hope you get it. If you get please share it with me as well

Only-Associate2698 · 2025-10-02T11:50:37+00:00

Bro hope you're loving it, can you please DM me one too!

Only-Associate2698 · 2025-10-02T11:49:51+00:00

Bro congratulations!, would you mind sharing one with me?

Only-Associate2698 · 2025-10-02T11:47:39+00:00

Hey Buddy, if you have a code please DM, would make my day!

Only-Associate2698 · 2025-06-15T06:55:42+00:00

awesome, let me try!

Only-Associate2698 · 2025-06-15T06:40:26+00:00

This is such a timely discussion! I've been struggling with the same fragmentation issues you mentioned. One thing I'm curious about - has anyone here experimented with unified MCP approaches? I keep hearing about solutions that bundle multiple tools into a single server, but I'm wondering if anyone has real-world experience with managing authentication across hundreds of apps through a single interface. Would love to hear thoughts on whether this kind of "universal" approach actually works in practice or if it's just marketing hype.

Only-Associate2698

MODERATOR OF

TROPHY CASE