K0KEYZERO

Use Case

Secret Management for AI Agents

Runtime secret resolution, blind mode, and policy control for LLM-powered agents. Works with LangChain, CrewAI, AutoGen, and custom frameworks.

AI agents are a new category of credential consumer. Unlike human developers or server processes, agents operate with an LLM at their core -- a component that logs inputs, generates unpredictable outputs, and transmits every piece of context to a remote API. Traditional secret management tools were not designed for this execution model. For a deeper look at the threat landscape, see why AI agents leak secrets.

Why Traditional Secret Management Fails for Agents

Secret managers like HashiCorp Vault, AWS Secrets Manager, and 1Password solve the problem of storing and distributing credentials. They assume the consumer is trusted: a server process that fetches a database password and uses it to open a connection. The secret stays in process memory and is used programmatically.

AI agents break this assumption in several ways:

Context window accumulation. Every input to the LLM -- environment variables, tool responses, file contents -- becomes part of the context window. That context is sent to the LLM provider on every subsequent turn. A credential that enters the context on turn 2 is retransmitted on turns 3 through N.

Tool call serialization. When an agent calls a tool, both the arguments and the response are serialized into the conversation. If a tool returns an error containing a connection string, that credential is now part of the conversation permanently.

Code generation. Agents generate code. If an agent has seen API_KEY=sk-abc123 in the environment, it may emit that literal value in generated configuration files, test fixtures, or documentation.

Log persistence. Agent frameworks log tool calls, responses, and intermediate reasoning. These logs often end up in files, observability platforms, or debugging consoles -- all places where raw credentials should not appear.

Multi-hop delegation. An agent may delegate tasks to sub-agents, each with their own tool sets. A credential given to a top-level agent can propagate through multiple layers of delegation with no access control between them.

KeyZero's Three-Layer Approach

KeyZero addresses agent credential security at three distinct layers:

Layer 1: Runtime Resolution

Instead of storing secrets in .env files or passing them as command-line arguments, KeyZero resolves credentials at process startup from vault backends:

kz run -- python agent.py

# .keyzero.toml
[secrets]
OPENAI_API_KEY = { provider = "1password", ref = "op://Dev/OpenAI/api-key" }
GITHUB_TOKEN   = { provider = "vault", ref = "secret/data/prod/github/token" }
SLACK_BOT_TOKEN = { provider = "aws-sm", ref = "prod/slack-bot-token" }

The agent process receives environment variables with resolved values. No plaintext files on disk, no credentials in source control.

Layer 2: Blind Mode

Runtime resolution keeps secrets off disk, but the agent process still has access to raw credential values in memory and environment. Blind mode goes further:

kz run --blind -- python agent.py

In blind mode, the agent receives opaque tokens (KZ_TOK_a8f3e1) instead of real credentials. A local MITM proxy intercepts outgoing HTTP requests and swaps the opaque token for the real credential before the request leaves the machine. The full mechanics are covered in blind mode explained.

The agent can make authenticated API calls, but it never possesses the real credential. If the LLM logs KZ_TOK_a8f3e1, that token is useless outside the proxy context.

Layer 3: Policy Control

For team and production deployments, KeyZero's PDP (Policy Decision Point) server adds identity-based access control using JWTs and CEL policies:

# bundle.yaml
policies:
  - match: "secret/data/prod/**"
    rules:
      - cel: "identity.service == 'data-pipeline-agent'"
        effect: allow
      - cel: "identity.service == 'support-agent'"
        effect: deny

  - match: "secret/data/staging/**"
    rules:
      - cel: "identity.env == 'staging'"
        effect: allow

Each agent authenticates with a JWT that carries its identity claims. The PDP evaluates CEL expressions against those claims before allowing secret resolution. A customer support agent can access the Zendesk API key but not the production database password.

Framework Integration

KeyZero works at the process and network level, so it integrates with any agent framework without requiring framework-specific plugins.

LangChain / LangGraph

kz run --blind -- python -m langchain_app.main

LangChain agents that use tools requiring API keys (e.g., SerpAPIWrapper, OpenAIEmbeddings) receive credentials through environment variables. With blind mode, those tools make HTTP requests through the proxy.

CrewAI

kz run --blind -- crewai run

CrewAI agents with roles that access different APIs each get the same opaque token treatment. The proxy handles credential injection per-host.

AutoGen

kz run --blind -- python autogen_workflow.py

AutoGen's multi-agent conversations involve tool calls across multiple agent instances. KeyZero wraps the entire process tree, so all sub-agents route through the same proxy.

Custom Frameworks

Any agent that makes HTTP requests and reads environment variables works with KeyZero. No SDK, no library dependency, no code changes:

import os
import httpx

# This value is KZ_TOK_xxxx in blind mode, real value in standard mode
api_key = os.environ["API_KEY"]

# In blind mode, the proxy swaps the token before the request leaves
response = httpx.get(
    "https://api.example.com/data",
    headers={"Authorization": f"Bearer {api_key}"}
)

The KeyZero MCP Server for Agent Tool Use

For agents that support MCP (Model Context Protocol), KeyZero can run as an MCP server providing resolve and fetch tools. See the MCP servers integration page for detailed configuration patterns.

kz server start --bundle ./bundle.yaml --mcp

The fetch tool is particularly useful: the agent asks KeyZero to make an authenticated request, and receives only the response body. The credential never enters the agent's context window.

Summary

AI agents are untrusted credential consumers by nature. They transmit context to remote APIs, generate unpredictable outputs, and log everything. KeyZero provides runtime resolution to eliminate plaintext files, blind mode to prevent credential exposure in agent memory and context, and policy control to enforce least-privilege access across agent identities. It works with any framework because it operates at the process and network layer, not the application layer. For a comprehensive comparison of approaches, read the secret management for AI agents decision guide, or explore five patterns for secret-safe AI deployments.