Vault
HashiCorp Vault. AWS Secrets Manager. GCP Secret Manager. Fetch at runtime from secure store.
Advertisement
Short-lived tokens
OAuth tokens 1 hour. Refresh via workload identity. Compromise window bounded.
Advertisement
Workload identity
Agent pod has identity via K8s service account → cloud IAM. No static credentials at all. Best practice.
Prompt-safe abstractions
Agent's tool wrapper handles auth internally. Model never sees credentials. Tools return capabilities, not tokens.