Creativity · Agent Protocol
Agent Credential Vault Pattern
An agent with secrets in its prompt is a prompt-injection leak waiting to happen. The vault pattern keeps secrets in a hardware-backed store (Vault, AWS Secrets Manager, 1Password, Infisical) and exposes only placeholder references to the LLM. The execution layer substitutes real values just before the HTTP call, so secrets never appear in prompts, logs, or model responses.
Protocol facts
- Sponsor
- Security community
- Status
- stable
- Interop with
- HashiCorp Vault, AWS Secrets Manager, 1Password, Infisical
Frequently asked questions
How does substitution work?
The LLM sees `{{GITHUB_TOKEN}}` in its tool description, not the real token. When the agent calls `github.create_issue(token={{GITHUB_TOKEN}})`, the runtime intercepts the call, fetches the real token from the vault, and forwards the actual HTTP request.
What about OAuth tokens?
Same pattern, with a refresh-handling layer. The agent never sees the access or refresh token — it asks the runtime to 'call GitHub on my behalf' and the runtime handles token lifecycle plus refresh.
Does this prevent all secret leaks?
It eliminates the biggest class — leaks via model output and logs. It doesn't protect against a compromised runtime or malicious tool code, so you still need least-privilege scopes and monitoring on the vault itself.
Sources
- HashiCorp Vault — accessed 2026-04-20
- OWASP — secrets management — accessed 2026-04-20