Ask HN: How are you managing secrets with AI agents?

2•m-hodges•1w ago

Secrets management with Agents feels absent today. The agent needs API keys to call external services, but the usual patterns feel broken in this context. You see this clearly when writing Agent Skills.

Environment variables: The agent has shell access. It can run `env` or `echo $API_KEY` and access the secret, either through prompt injection or just by exploring or debugging.

.env files: Same problem. The agent can `cat .env`. The file is right there on the filesystem waiting for curious `print()` statements.

Proxy process / wrapper: You can stand up a separate process that holds the secret and proxies requests. The agent calls localhost, never sees the key. This works, but it's a lot of operational overhead. Now you're running infrastructure just to hide a string from your own tools. It also feels close to reinventing MCP.

What I've been experimenting with:

1. OS keychain with credential helper: The bundled or generated script calls out to the system keychain (macOS Keychain, Windows Credential Manager, etc.) at runtime. The agent can invoke the script, but can't directly query the keychain. Libraries like Python's `keyring` abstract over OS keychains and make it somewhat portable, but this all assumes certain runtime environments and requires user interaction via the OS.

2. Credential command escape hatch: Scripts accept a `--credential-cmd` flag that runs an arbitrary shell command to fetch the secret (`pass show`, `op read`, `vault kv get`, etc.). Flexible, but the agent could potentially inspect what command is being run and iterate to try to access it anyway.

Neither of these feel like a real solution. An agent could probe for credentials.

How are others handling secrets in agent workflows? Is anyone building agent runtimes with proper secrets isolation? Seems like something the official agent harnesses need to figure out and ship with.

Comments

kageiit•1w ago

We built our own harness from the ground up to account for this

Secrets come from aws secret manager and never injected into env directly.

Each part of the agentic workflow only gets the secrets it needs injected. Agent can see env var names but not the values (our harness masks them) . We also mask any attempts to output to stdout/files.

This keeps the agent architecture simple with env vars that all agents can operate on as it locally. Prompt injection attempts will only yield masked values

Has been working well for us so far

whinvik•1w ago

Curious if anyone has experimented with dotenvx - https://dotenvx.com/

m-hodges•1w ago

What would stop the agent from writing+running its own script wrapped in `dotenvx run` to access the secrets?

whinvik•2d ago

One can put `dotenvx` into the deny list for the agent but there will definitely be ways around of it.

akropp99•5d ago

Built a solution for this last night: credwrap (https://github.com/akropp/credwrap)

TCP client-server model. Server holds credentials (encrypted at rest with age), injects them into a pre-approved allowlist of commands. Agent calls credwrap gog gmail search ... — server injects the API key and executes, agent never sees the credential.

Features:

Tool allowlist with argument validation Token / IP whitelist / Tailscale auth Full audit logging Works on Linux and macOS Two deployment modes: run as your own user with encryption (simple), or run as a separate system user for full privilege separation (more secure).

Had the thought that this was needed, and then saw this thread, so I figured I'd share.

TFSFVentures•1d ago

Managing secrets for AI agents, especially when they need to interact with external services via API keys, is a common challenge we've seen. The issues you're describing with `env` variables, `.env` files, and even the operational overhead of proxy processes are exactly what teams run into when trying to secure these workflows. There are typically two or three things causing this, often related to the agent's execution environment and the need for dynamic, secure credential access without exposing them directly. We've helped teams navigate these exact scenarios.

Discuss – Do AI agents deserve all the hype they are getting?

LLMs are powerful, but enterprises are deterministic by nature

Ask HN: Anyone Using a Mac Studio for Local AI/LLM?

Ask HN: Non AI-obsessed tech forums

Ask HN: Ideas for small ways to make the world a better place

Ask HN: 10 months since the Llama-4 release: what happened to Meta AI?

Ask HN: Who wants to be hired? (February 2026)

Ask HN: Who is hiring? (February 2026)

Ask HN: Non-profit, volunteers run org needs CRM. Is Odoo Community a good sol.?

AI Regex Scientist: A self-improving regex solver

Tell HN: Another round of Zendesk email spam

Ask HN: Is Connecting via SSH Risky?

Ask HN: Has your whole engineering team gone big into AI coding? How's it going?

Ask HN: Why LLM providers sell access instead of consulting services?

Ask HN: What is the most complicated Algorithm you came up with yourself?

Ask HN: How does ChatGPT decide which websites to recommend?

Ask HN: Is it just me or are most businesses insane?

Ask HN: Mem0 stores memories, but doesn't learn user patterns

Ask HN: Is there anyone here who still uses slide rules?

Kernighan on Programming

Ask HN: Any International Job Boards for International Workers?

Ask HN: Anyone Seeing YT ads related to chats on ChatGPT?

Ask HN: Does global decoupling from the USA signal comeback of the desktop app?

We built a serverless GPU inference platform with predictable latency

Ask HN: Does a good "read it later" app exist?

Ask HN: How Did You Validate?

Ask HN: Have you been fired because of AI?

Ask HN: Cheap laptop for Linux without GUI (for writing)

Ask HN: Anyone have a "sovereign" solution for phone calls?

Ask HN: OpenClaw users, what is your token spend?