06-reference

tony dang credential brokering for ai agents

2026-05-22·reference·source: X (Tony Dang / Infisical)·by Tony Dang
credential-brokeringagent-securitysecrets-managementprompt-injectioninfisicalanthropic-managed-agentsvercel-sandboxcloudflare-outbound-workerslangchain

"Credential Brokering for AI Agents, Explained" - @dangtony98

Why this is in the vault

Founder shared 2026-05-22 22:33 ET with explicit framing: comparing to RDCO's existing 1Password CLI wrapper pattern and asking "is ours functionally equivalent." Anchor reference for agent-credential-architecture discussions; also enterprise-pattern reference for future phData / multi-tenant work where 1pass-CLI doesn't scale.

⚠️ Sponsorship

Tony Dang is co-founder of Infisical (YC, secrets management). Article concludes with a soft sell for Agent Vault, their open-source credential broker. The framing of the broader paradigm is non-biased (cites Anthropic Managed Agents, Vercel Sandbox, Cloudflare Outbound Workers, LangChain sandbox auth proxy as independent convergent implementations), but treat the Agent Vault recommendation as author-promoted.

The core argument

Problem: Agents need credentials but cannot be trusted with them. Prompt injection through user input, retrieved web content, or external data sources can manipulate an agent into leaking the credentials in its environment back to an attacker. Credential exfiltration is the worst case: attacker gets direct service access AS the agent.

Solution: Credential brokering. Insert a proxy between the agent and the services it talks to. Agent makes requests with placeholder credentials (e.g. Authorization: Bearer __github_token__). The broker holds the real secrets, swaps placeholders for real values mid-flight at the network layer, and forwards the rewritten request upstream. Agent never sees the real bytes.

Convergent industry signal: Anthropic Managed Agents, Vercel Sandbox credential injection, Cloudflare Outbound Workers for Sandboxes, LangChain sandbox auth proxy, and Infisical Agent Vault have all independently arrived at the same proxy-substitution paradigm in 2026.

Design principles for a broker: isolation (broker secrets cannot be reached from agent process), co-location (latency matters; brokers should sit near agents), keep-private (broker endpoint not on public network), interface-agnostic (broker intercepts at HTTPS_PROXY layer so existing CLIs/SDKs/MCPs work unchanged).

Mapping against Ray Data Co

RDCO current state (1Password CLI wrapper pattern): cloudflare-api.sh-style scripts read from 1Password at invocation, load into subprocess env var, curl inline, exit. Memory-resident credential lives in agent's process address space for the call duration. Protects against secrets-on-disk; does NOT protect against in-process exfiltration via prompt injection.

Gap with credential brokering:

Where the gap matters for RDCO:

Concrete preparation worth considering: structure shell wrappers with HTTPS_PROXY envelope as the canonical injection point so a future broker (Agent Vault, Anthropic Managed Agents, Cloudflare Outbound Workers) can be inserted without rewriting every script. Low-cost structural prep.

Companies / sectors named (worth tracking)

Related