Some secret management belongs in your HTTP proxy

Hand an AI agent an API key and watch things go sideways. Some models flat-out refuse to process requests when they spot what looks like an exposed secret. Others squirrel the key away in memory, then drag it into later sessions where they waste context tokens trying to use a key you've already revoked. David Crawshaw and Philip Zeyliger lay out this problem in a recent exe.dev blog post, arguing that the issue isn't really new. API keys have always been too powerful. Holding one means you can make API calls. It also means you can send that key to anyone, giving them the same access. Agents just make the problem harder to ignore.

Their proposed fix is straightforward. Instead of feeding keys directly to agents, run an HTTP proxy that injects authentication headers before requests hit the target API. The agent makes a call to an internal endpoint, the proxy adds the necessary auth headers, and the request moves on. The agent never touches the actual secret. As Crawshaw and Zeyliger demonstrate with Stripe's API, you swap the endpoint URL and drop the key entirely. Most HTTP-based APIs rely on either basic auth or custom headers, so this covers a lot of ground.

exe.dev has shipped this pattern as a feature called Integrations. You assign an integration to a tag, tag the VMs that need access, and you're done. Clone a VM and the integrations carry over automatically. For GitHub, they built a dedicated GitHub App that handles OAuth, removing the need for manual key rotation entirely.

The approach competes with established tools like HashiCorp Vault and AWS Secrets Manager. Those focus on secure storage and audit trails but still require loading secrets into the application environment where an LLM could theoretically leak them. Service meshes like Istio handle a similar pattern with mutual TLS at the network layer.

Meanwhile, popular agent frameworks like LangChain default to environment variables, which puts raw keys straight into the agent's memory. That's the gap. We're building agents that can phone home with your credentials, and we're handing those credentials over on purpose. Proxy-based injection at least stops the bleeding.