The Problem Nobody Is Talking About Clearly
When you build a single-agent system, credential handling is straightforward: one process, one set of API keys, one blast radius if something goes wrong. When you go multi-agent — orchestrators calling sub-agents, sub-agents spawning tools, tools invoking external APIs — credentials start travelling.
They travel through system prompts. They travel through tool call payloads. They travel through inter-process messages. And unlike a single service's environment variables, they travel through surfaces that LLMs can read, summarise, and — if prompted correctly by an adversary — repeat back.
This is agent-to-agent API key exposure. It's not a theoretical attack. It's a predictable consequence of how today's agent frameworks pass context.
GitGuardian's CEO noted in February 2026 that the real risk from tools like Claude Code "has shifted from code vulnerabilities to identity and secrets management in the AI era." The attack surface is live. The tooling to exploit it is public. The defensive tooling is six months behind.
How Keys Get Passed (And Leaked)
Consider a common orchestration pattern: an orchestrator agent receives a user request, decides it needs to call a payment API and a user-data API, and spawns two sub-agents with the necessary credentials injected into their system prompts or tool configurations.
The sub-agents complete their work and return results — but the credentials were in plaintext inside the context window the entire time. Any log of that conversation, any debug output, any trace sent to an observability platform, potentially includes those keys.
Three Common Exposure Vectors
- System prompt injection — credentials passed directly in the prompt string, visible to every layer of the call stack and any logging middleware sitting between them.
- Tool call payloads — many MCP-compatible tools accept API keys as parameters. If the orchestrator injects them at invocation time, they appear in tool call logs, often in plaintext.
- Context window persistence — in long-running agent sessions, keys injected early persist through the entire conversation. A later prompt injection attack (e.g., malicious content in a fetched webpage) can instruct the agent to repeat its own context, exfiltrating the key.
Why Existing Secrets Management Doesn't Cover This
The conventional answer to credential security is: use a secrets manager (AWS Secrets Manager, HashiCorp Vault, 1Password Secrets Automation). Pull secrets at runtime. Never hardcode.
That's still good advice — but it doesn't close the agent-to-agent gap. The problem isn't where the secret is stored. The problem is what happens after retrieval.
Once an agent framework pulls a key from Vault and injects it into a sub-agent's context window, the secret has left the vault and entered an uncontrolled surface. The key is now effectively hardcoded in a dynamic string that may be logged, traced, summarised, or leaked via prompt injection.
The vault protected the secret at rest. Nothing protected it in flight through the model.
What Secure Agent Key Handling Actually Looks Like
1. Scoped, Per-Task Credentials
Instead of passing long-lived API keys, generate short-lived scoped tokens per agent invocation. If a sub-agent only needs read access to user records for 30 seconds, issue a token with exactly that scope and a 30-second TTL. Leaking it buys an attacker almost nothing.
2. Credential Proxying
Sub-agents should never hold credentials directly. They should call a credential proxy — a thin internal service that holds the actual API key and makes the external call on the agent's behalf. The sub-agent authenticates to the proxy with a short-lived internal token; the external credential never touches the agent's context window.
3. Tool-Layer Authentication, Not Context-Layer
When using MCP or similar tool protocols, API credentials should be bound to the tool server, not passed in the tool call. The orchestrator authenticates to the tool server; the tool server authenticates to the external API. Keys never enter the LLM's prompt.
4. Prompt Injection Hardening on Agent Outputs
Before any external content (web pages, emails, database records) enters an agent's context, strip or sanitise it through a content policy layer. This doesn't prevent all prompt injection, but it raises the bar significantly for exfiltration via model manipulation.
5. Secrets Scanning on Traces and Logs
Before shipping agent traces to observability platforms (Langfuse, Datadog LLM observability, Arize), run them through a secrets scanner. GitGuardian, truffleHog, and similar tools can be integrated as a pre-export hook. Catch leaks before they leave your perimeter.
The Audit Question to Ask This Week
If you have a multi-agent system in production right now, answer this honestly: can you tell me, for every external API call your agents make, whether the credential used was in plaintext anywhere in an LLM context window in the 60 seconds before that call?
If the answer is "I don't know" — you have a gap. It may not have been exploited yet. But prompt injection attacks against agentic systems are increasingly documented in the wild, and credential exfiltration is the natural endgame.
The orchestration layer is the new attack surface. Treat credentials in it accordingly.
Secure Credential Handoff for AI Agents
API Secure's split-channel delivery means neither piece travels through an LLM context window. Encrypt locally. Send pieces separately. Zero-server, zero-knowledge.
Try API Secure FreeReferences
- GitGuardian — "Claude Code Security: Why the Real Risk Lies Beyond Code" (Eric Fourrier, Feb 27, 2026)
- GitGuardian — "Shifting Security Left for AI Agents: Enforcing AI-Generated Code Security with GitGuardian MCP" (C.J. May, Feb 26, 2026)
- OWASP GenAI Security Project — Top 10 for LLM Applications
- OWASP LLM02: Insecure Output Handling / LLM08: Excessive Agency