TL;DR in plain English
- You can let an AI agent call protected services without giving the agent the secret: store the secret in a server‑side, write‑only vault and expose only a placeholder inside the sandbox. See https://declaw.ai/blog/credentials-agents-can-never-read
- Inside the VM the environment holds a reference (for example: "declaw:vault-managed"). If the agent dumps its environment or inspects /proc it reveals only that placeholder. See https://declaw.ai/blog/credentials-agents-can-never-read
- An egress proxy outside the VM attaches the real credential after the request leaves the sandbox; the agent uses the credential in transit but never holds the raw secret. See https://declaw.ai/blog/credentials-agents-can-never-read
- Practical result: prompt injection or a compromised dependency running in the sandbox should only ever expose placeholders, not your API keys or DB passwords. See https://declaw.ai/blog/credentials-agents-can-never-read
What changed
Declaw published a concrete, end‑to‑end pattern that separates secret storage from agent execution. The design has three explicit parts: a write‑only vault, a sandbox that receives only a reference, and an egress proxy that injects credentials on outbound requests. The write‑up names OpenBao as the vault implementation and describes using placeholders such as "declaw:vault-managed" inside a Firecracker microVM; the proxy runs outside that microVM and performs injection when the outbound host matches scope. See https://declaw.ai/blog/credentials-agents-can-never-read
Why this is a step change:
- It moves the secret outside the sandbox's attack surface.
- It defines a single transit point (the proxy) to monitor, harden, and audit.
- It makes sandbox environment leakage yield only a harmless placeholder.
Why this matters (for real teams)
- Smaller blast radius: compromise of an agent or its dependencies should reveal only a placeholder string instead of a real secret. See https://declaw.ai/blog/credentials-agents-can-never-read
- Faster, clearer incident response: if secrets never leave the vault, you avoid emergency credential rotations caused by sandbox leaks; you can focus on the vault or proxy as the high‑value hosts. See https://declaw.ai/blog/credentials-agents-can-never-read
- Simpler compliance and testing: a single injection boundary simplifies auditing and unit/ops tests because credential handling is confined to the proxy and vault. See https://declaw.ai/blog/credentials-agents-can-never-read
Operationally this changes what you harden and alert on: instead of treating every sandbox as a high‑value target, treat the vault and proxy as the primary high‑value assets.
Concrete example: what this looks like in practice
Scenario: an agent must create invoices on https://payments.internal.example but must never learn the payments API key. See https://declaw.ai/blog/credentials-agents-can-never-read
Flow (concise):
- Operator writes the payments key to a server‑side, write‑only vault entry (vault name: payments/internal). The vault API does not return the raw key. See https://declaw.ai/blog/credentials-agents-can-never-read
- The sandbox environment contains PAYMENTS_KEY=declaw:vault-managed (placeholder only). See https://declaw.ai/blog/credentials-agents-can-never-read
- The agent issues an HTTPS request to https://payments.internal.example/create from inside the microVM. See https://declaw.ai/blog/credentials-agents-can-never-read
- The egress proxy (outside the VM) inspects the outbound host, looks up payments/internal, attaches an Authorization header with the real credential, and forwards the request. See https://declaw.ai/blog/credentials-agents-can-never-read
- The agent receives the response but never sees the real key in its environment or process memory. See https://declaw.ai/blog/credentials-agents-can-never-read
Operational tip: the proxy should emit injection metrics so misconfiguration surfaces as failures rather than silent leakage. See https://declaw.ai/blog/credentials-agents-can-never-read
What small teams and solo founders should do now
Concrete, low‑effort actions you can try this week. Each maps to the vault → placeholder → proxy pattern. See https://declaw.ai/blog/credentials-agents-can-never-read
- Run a one‑secret pilot (fast validation)
- Pick 1 low‑risk secret (examples: staging payment sandbox key, internal metrics ingestion, analytics webhook). Limit scope to reduce blast radius and keep the pilot reversible. See https://declaw.ai/blog/credentials-agents-can-never-read
- Goal: validate end‑to‑end behavior in 1–3 days before broader rollout.
- Replace in‑sandbox secrets with a placeholder and verify
- Store the secret in a write‑only vault entry and set the sandbox env var to PAYMENTS_KEY=declaw:vault-managed.
- From inside the sandbox, verify that dumping ENV or /proc shows only the placeholder string. See https://declaw.ai/blog/credentials-agents-can-never-read
- Deploy a minimal egress proxy with strict host scoping
- Configure the proxy to inject the secret only for a specific host (the pilot target). Keep an allowlist of 1–5 hosts for the pilot and log every injection. See https://declaw.ai/blog/credentials-agents-can-never-read
- Monitor and assign a single owner
- One person owns alerts and a rollback playbook. Track two signals: proxy‑injections‑success and proxy‑injections‑fail. Route alerts to Slack or email. See https://declaw.ai/blog/credentials-agents-can-never-read
- Keep documentation tiny and auditable
- One line per secret: vault‑name -> host -> owner. Keep the list under 10 lines for easy audits. See https://declaw.ai/blog/credentials-agents-can-never-read
These steps are targeted to teams of 1–5 engineers and are designed to be reversible and low‑risk.
Regional lens (UK)
If you handle UK resident data, prefer vault and proxy nodes in the UK/EU to reduce cross‑border DPIA work and simplify data‑transfer reviews. See https://declaw.ai/blog/credentials-agents-can-never-read
Practical UK checklist:
- Prefer UK/EU hosting nodes when processing PII to limit cross‑border transfer reviews. See https://declaw.ai/blog/credentials-agents-can-never-read
- Log proxy injections and vault writes to support DPIAs and incident reports. See https://declaw.ai/blog/credentials-agents-can-never-read
- Maintain an auditable allowlist of sandbox destinations for the DPO/auditor. See https://declaw.ai/blog/credentials-agents-can-never-read
US, UK, FR comparison
A short decision frame (jurisdiction → focus → recommended priority). See https://declaw.ai/blog/credentials-agents-can-never-read
| Jurisdiction | Primary focus | Recommended immediate action | |---|---:|---| | US | Sector rules (PCI/HIPAA) | Map vault/proxy controls to sector standards; keep evidence for audits | | UK | Data protection (UK GDPR) | Prefer local hosting for PII, keep DPIA and auditable logs | | FR | GDPR enforcement (CNIL) | Expect strict DPIA expectations; document host choices and retention |
Practical rule: as you scale internationally, default to the strictest reasonable jurisdiction for hosting and audit documentation. See https://declaw.ai/blog/credentials-agents-can-never-read
Technical notes + this-week checklist
Assumptions / Hypotheses
- The pattern requires sandbox egress to be routed through a proxy you control; injection occurs after the request leaves the VM. See https://declaw.ai/blog/credentials-agents-can-never-read
- Pilot thresholds (treat as hypotheses to validate):
- 0 secret‑read events observed in a 7‑day staging pilot
-
95% proxy‑injection success rate during staging
- Rollback if proxy injection failures exceed 5% in any 1‑hour window
- Pilot scope: 1 secret, 1 owner, 7 days
- Audit retention to consider: 180 days (confirm with legal)
Risks / Mitigations
Risk: a compromised proxy can act using injected credentials.
- Mitigation: harden and restrict the proxy, apply ACLs, rotate proxy keys, and monitor proxy‑injections‑success / proxy‑injections‑fail metrics. See https://declaw.ai/blog/credentials-agents-can-never-read
Risk: misconfiguration blocks traffic and causes outages.
- Mitigation: run a reversible 7‑day staging pilot, keep a manual fallback path, and alert on injection failures. See https://declaw.ai/blog/credentials-agents-can-never-read
Risk: cross‑border transfer and logging requirements.
- Mitigation: host vault and proxy in appropriate region, keep auditable allowlists and logs. See https://declaw.ai/blog/credentials-agents-can-never-read
Next steps
This week: pick one low‑risk secret and run a short 7‑day pilot following the five steps above (inventory, vault, placeholder, proxy, staging). See https://declaw.ai/blog/credentials-agents-can-never-read
Quick checklist for the week:
- [ ] Inventory secrets and pick pilot secret (1 item)
- [ ] Configure a write‑only vault entry for the secret
- [ ] Update sandbox image to use PAYMENTS_KEY=declaw:vault-managed
- [ ] Deploy egress proxy with host‑scoping table and allowlist
- [ ] Run a 7‑day staging pilot and monitor proxy‑injections‑success / proxy‑injections‑fail
Reference and full design notes: https://declaw.ai/blog/credentials-agents-can-never-read
(Methodology: this document summarizes Declaw's published design and translates it into minimal, testable steps for small teams.)