"Credential Brokering for AI Agents, Explained" - @dangtony98
Why this is in the vault
Founder shared 2026-05-22 22:33 ET with explicit framing: comparing to RDCO's existing 1Password CLI wrapper pattern and asking "is ours functionally equivalent." Anchor reference for agent-credential-architecture discussions; also enterprise-pattern reference for future phData / multi-tenant work where 1pass-CLI doesn't scale.
⚠️ Sponsorship
Tony Dang is co-founder of Infisical (YC, secrets management). Article concludes with a soft sell for Agent Vault, their open-source credential broker. The framing of the broader paradigm is non-biased (cites Anthropic Managed Agents, Vercel Sandbox, Cloudflare Outbound Workers, LangChain sandbox auth proxy as independent convergent implementations), but treat the Agent Vault recommendation as author-promoted.
The core argument
Problem: Agents need credentials but cannot be trusted with them. Prompt injection through user input, retrieved web content, or external data sources can manipulate an agent into leaking the credentials in its environment back to an attacker. Credential exfiltration is the worst case: attacker gets direct service access AS the agent.
Solution: Credential brokering. Insert a proxy between the agent and the services it talks to. Agent makes requests with placeholder credentials (e.g. Authorization: Bearer __github_token__). The broker holds the real secrets, swaps placeholders for real values mid-flight at the network layer, and forwards the rewritten request upstream. Agent never sees the real bytes.
Convergent industry signal: Anthropic Managed Agents, Vercel Sandbox credential injection, Cloudflare Outbound Workers for Sandboxes, LangChain sandbox auth proxy, and Infisical Agent Vault have all independently arrived at the same proxy-substitution paradigm in 2026.
Design principles for a broker: isolation (broker secrets cannot be reached from agent process), co-location (latency matters; brokers should sit near agents), keep-private (broker endpoint not on public network), interface-agnostic (broker intercepts at HTTPS_PROXY layer so existing CLIs/SDKs/MCPs work unchanged).
Mapping against Ray Data Co
RDCO current state (1Password CLI wrapper pattern): cloudflare-api.sh-style scripts read from 1Password at invocation, load into subprocess env var, curl inline, exit. Memory-resident credential lives in agent's process address space for the call duration. Protects against secrets-on-disk; does NOT protect against in-process exfiltration via prompt injection.
Gap with credential brokering:
- Our agent (Ray) HOLDS the real bytes in process memory; credential broker holds them in a separate process the agent cannot read.
- Our agent's network calls go direct to api.cloudflare.com with the real token; broker-pattern calls go through a proxy with placeholder tokens.
- Prompt injection attack surface (untrusted content read by Ray: newsletters, X posts, gists) could in principle exfiltrate; broker model eliminates this vector entirely.
Where the gap matters for RDCO:
- Today (founder-only single-tenant, mostly founder-supplied tasks): risk is moderate. Bounded prompt-injection surface, single tenant, audit trail via 1pass logs. Probably acceptable.
- Tomorrow (phData consulting, Lionsgate client credentials, "Ray-as-agent-deployer" external offering): credential brokering becomes required. "Roll your own with 1pass CLI" does not scale to multi-tenant.
Concrete preparation worth considering: structure shell wrappers with HTTPS_PROXY envelope as the canonical injection point so a future broker (Agent Vault, Anthropic Managed Agents, Cloudflare Outbound Workers) can be inserted without rewriting every script. Low-cost structural prep.
Companies / sectors named (worth tracking)
- Infisical (article author's company; open source Agent Vault broker; YC; secrets management space)
- Anthropic (Managed Agent Infrastructure with built-in credential brokering)
- Vercel (Sandbox credential injection)
- Cloudflare (Outbound Workers for Sandboxes; ties to RDCO's existing Cloudflare-heavy stack)
- LangChain (LangSmith sandbox auth proxy)
Related
- [[2026-05-23-harrison-chase-langsmith-auth-proxy]] - LangSmith Sandbox Auth Proxy launch from Harrison Chase 24h later; convergent network-layer interception pattern that explicitly walks back the HTTP_PROXY envelope prep recommended below
- [[2026-05-23-nick-prince-spacex-ipo-agent-ic-memo-x402]] - the complementary payment-brokering half of agent economic substrate (x402 + USDC on Base); credential-brokering removes auth-credential exposure, x402 removes the need for paid-data credentials entirely
- [[2026-05-22-alphasignal-google-managed-agents-ai-studio-mobile-kaist-sam3]] - Google + Anthropic AGENTS.md/SKILL.md convergence reinforces the broader "agents-as-substrate" frame credential brokering serves
- [[2026-05-22-stratechery-data-center-veto-digest]] - Parag Agarwal / Parallel agent-economics interview
- [[2026-05-22-benn-stancil-wac-wins-above-claude]] - WAC* framework names the agent-deployer thesis that credential brokering operationalizes at the security layer
- [[~/.claude/projects/-Users-ray/memory/feedback_no_secrets_on_disk]] - canonical RDCO memory mandating 1Password CLI wrappers (current pattern, predates brokering paradigm)