Skip to main content
You want an AI agent to do real work: push code, file tickets, call external APIs. That work needs credentials, and the Infisical Agent Proxy lets the agent do all of it without ever being handed one. It works like this: the agent makes an API call with no real credential (or a dummy placeholder, where one is expected). On its way out, the request passes through the agent proxy. The proxy attaches the real credential and forwards the request to the API. The API sees a normal authenticated call. The agent never saw the key, so there is nothing to leak. A credential that enters an untrusted code execution environment is exposed in more ways than one:
  • A prompt injection can talk the agent into sending its keys to an attacker (credential exfiltration).
  • Anything in the agent’s environment can end up in its context window, and from there in LLM provider logs and transcripts, or even training data.
  • Keys leak sideways into shell history, log files, and error reports as the agent works.
  • A stolen key works from anywhere until someone notices and rotates it.
Brokered credentials sidestep all of it: they cannot be exfiltrated, logged, or memorized from inside the agent, they only work through the proxy for the services you configured, and an agent’s access can be revoked centrally at any time.
The agent proxy is not limited to AI agents. Any untrusted code execution environment that respects an HTTP proxy can run behind it, with no code changes.

How It Works

  1. Keep your secrets in Infisical, exactly as you do today. Next to them, define proxied services: small configs that say, for example, “requests to api.stripe.com get STRIPE_API_KEY as a Bearer token”.
  2. Run the agent proxy with one command: infisical secrets agent-proxy start.
  3. Launch your agent through the wrapper: infisical secrets agent-proxy connect -- claude. The wrapper points the agent’s traffic at the proxy and starts it. The agent holds none of the brokered credentials, and has no idea any of this is happening.
Now the agent calls api.stripe.com. The proxy adds the real STRIPE_API_KEY and forwards the request. Stripe sees a normal authenticated call.

The Whole Platform Comes With It

Standalone credential proxies manage their own keys, users, and permissions in isolation, so you end up running a second secrets manager just for your agents. The agent proxy is different: brokered credentials are ordinary Infisical secrets, so everything the platform does applies to them with zero extra setup.

Secret Rotation

Rotate brokered credentials on a schedule. The proxy applies the new value within a minute, with no agent restart and no agent awareness.

Dynamic Secrets

Generate short-lived, per-use credentials on demand for databases, clouds, Kubernetes, and more, so there is no long-lived key to steal in the first place.

Approval Workflows

Require a review before a brokered credential changes, exactly like a code change.

Audit Logs

A complete trail of everything around your proxied services, from configuration changes to activity.

Access Controls

Scope each agent identity to exactly the environments, paths, and services it should reach.

Versioning & Recovery

Every brokered credential keeps its full version history, with point-in-time recovery.

What You Work With

A small config that lives in a folder next to your secrets. It says which hosts it covers, which secrets to use, and how to apply them (set a header, or swap a placeholder). You manage it in the secrets dashboard like any other resource.
The Agent Proxy is distinct from other similarly named Infisical components: the Infisical Agent is a daemon that fetches secrets to disk for applications, the Infisical Proxy is a caching proxy for the Infisical API itself, and Gateways let Infisical reach into private networks. Those all deliver secrets or connectivity to software you trust. The Agent Proxy does the opposite: it exists so that software you do not trust never receives a secret at all.

Next Steps

Quickstart

Broker your first credential to an agent in a few minutes.

Proxied Services

Host patterns, header rewriting, and credential substitution.

Security & Architecture

Agent authentication, isolation, certificates, and high availability.