Secrets Handling

also known as Tool-Side Credential Injection, Model-Never-Sees-Secrets

Ensure the model never receives secrets in plaintext; tools resolve credentials from references at runtime.

Context

A team builds an agent whose tools need authentication — API keys, OAuth tokens, database credentials, service-account JSON, signed URLs. Tool authors often find it convenient to pass the secret as a tool argument, which means it flows through the model's context. The model's context is then captured in the conversation history, the application's trace store, the evaluation harness, and (for hosted models) the provider's logs.

Problem

Once a plaintext secret enters the model's context window, it is no longer recoverable: it sits in the chat log, in the trace export, in the eval dataset, and on the third-party model provider's infrastructure. Rotating the credential helps for the next call but does nothing for the copies already scattered across systems. Asking the model to please not reveal secrets it has seen is unreliable. Without a way to keep credentials out of the model's context entirely, every tool call that needs auth is a potential leak with permanent consequences.

Forces

Tool authors prefer simple credential passing.
Reference-based credential resolution adds tool runtime complexity.
Some integrations require credentials in URL or header (cannot avoid).

Example

A debugging session shows that a customer's GitHub PAT once appeared in the model's input and therefore in the prompt log, the eval harness export, and the third-party model vendor's training-data request form. Containment is impossible after the fact. The team rebuilds tool calls so the agent emits only typed references like `{auth: 'github_token_for_user_42'}` and the tool runtime resolves the credential outside the model context. Plaintext secrets never enter the chat log again.

Diagram

sequenceDiagram participant M as Model participant H as Tool runtime participant V as Secret store participant API as External API M->>H: call({auth: 'github_token_for_user_42'}) H->>V: resolve reference V-->>H: secret value H->>API: request with secret API-->>H: response H-->>M: result (scrubbed)

Solution

Therefore:

Tool runtime resolves credentials from typed references the agent emits (e.g., `{auth: 'github_token_for_user_42'}`). Credential values are injected outside the model context. Input/output guards reject any payload matching credential signatures. Provenance ledger and traces are scrubbed at write time.

What this pattern forbids. The model may emit credential references but never plaintext secrets; runtime injects values out-of-context.

And the patterns that stand alongside it, or against it —

complementsPII Redaction★★— Detect and remove personally identifiable information from inputs to and outputs from the model.
composes-withInput/Output Guardrails★★— Validate inputs before they reach the model and outputs before they reach the user.
complementsModel Context Protocol★★— Standardise how agents discover and call tools so that a tool written once is usable by any conformant agent.
complementsSession Isolation★★— Keep one user's session state and memory unreachable from another user's agent.
complementsSovereign Inference Stack★— Run the entire agent stack (model weights, inference, tool layer, vector stores, logs) inside a jurisdictional and operational boundary the operator controls, so no request, prompt, or output crosses into a third-party API.
complementsWebAssembly Skill Runtime·— Package each agent skill as a WebAssembly module with a capability manifest, and run it inside a Wasm runtime that enforces those capabilities, so untrusted skills cannot weaken the host's sandbox.
complementsShadow AI✕— Anti-pattern: leave the corporate the model offering so restrictive, slow, or narrow that employees bypass it with personal accounts and unapproved agent tools, creating data leakage and ungoverned tool calls that security cannot see.
complementsVibe-Coding Without Security Review✕— Anti-pattern: developer scaffolds an agent prototype with a code-generation tool and ships the generated code with no security review; ~90% of agent-generated code contains vulnerabilities without explicit security prompts.
complementsDelegated Agent Authorization★— Have an agent act for a principal using scoped, short-lived, revocable delegated credentials rather than the principal's own static secrets, so each action stays attributable across the principal-to-agent-to-subagent chain and a compromise is contained.

Neighbourhood

Click any neighbour to follow the language. Scroll to zoom, drag to pan.

References

MCP authentication
doc

Provenance

Source: patterns/secrets-handling.md on GitHub · commit 4fa1213 · view history
Added to catalog: 2026-04-30
Last updated: 2026-05-21
Contribute: open an issue or PR at github.com/agentpatternscatalog/patterns.