Most enterprise AI agents work perfectly and leak credentials constantly. The problem is not the LLM, the vector database, or the orchestration framework. The problem is the handoff: the moment an agent needs to call a third-party API on behalf of a user.
Traditional authentication patterns assume a human is in the loop. OAuth flows redirect to a browser. API keys live in environment variables. Tokens get refreshed by a user clicking “Allow.” Agents break all of these assumptions. An agent session might span hours, call dozens of APIs, and operate entirely without human intervention. The credential handoff boundary between orchestrator and tool is where things fall apart.
Why Standard OAuth Breaks for Agents
OAuth 2.0 was designed for web applications where a user grants permission once, the app stores a refresh token, and subsequent API calls happen in a predictable server context. Agents violate this model in three ways:
Session duration mismatch. An agent might need to query your CRM, wait for an LLM response, then update a Jira ticket 45 minutes later. Most OAuth access tokens expire in 60 minutes. Refresh tokens require a client secret, which you now need to hand to the agent runtime.
Context window leakage. If you pass an API key or OAuth token as a function parameter, it becomes part of the LLM’s context. Some frameworks log every tool call for debugging. Your credentials are now in plaintext in your observability stack.
Audit trail collapse. OAuth tokens are scoped to a user. When an agent calls an API, the audit log shows “Alice updated the record.” But Alice didn’t do it. The agent did. You lose the ability to trace which agent action caused which API mutation.
The Environment Variable Trap
The naive fix is to store API keys in environment variables and inject them at runtime. This is what most LangChain and LlamaIndex tutorials recommend. It solves the context window problem but creates three new ones:
- Blast radius. Every agent in the runtime has access to every credential. A compromised tool function can exfiltrate keys for unrelated services.
- Rotation hell. When you rotate a key, you need to restart the entire agent runtime. No graceful handoff.
- No per-agent scoping. You cannot give Agent A access to Salesforce but deny it to Agent B without running separate runtimes.
Here is what this looks like in a typical LangChain setup:
import os
from langchain.tools import Tool
def query_salesforce(query: str) -> str:
api_key = os.getenv("SALESFORCE_API_KEY") # Shared across all agents
# Every agent in this runtime can now call Salesforce
response = salesforce_client.query(query, api_key=api_key)
return response
salesforce_tool = Tool(
name="salesforce_query",
func=query_salesforce,
description="Query Salesforce CRM"
)The problem: SALESFORCE_API_KEY is global. If you have 10 agents running in this process, all 10 can call Salesforce, even if only 2 should have access.
What Actually Works: Capability-Based Credentials
The correct pattern is to issue ephemeral, scoped tokens per agent session. Each token is a capability: it grants access to a specific set of operations for a limited time. When the agent session ends, the token is revoked.
This requires three architectural changes:
1. Token Vending Machine
Your orchestrator should not store long-lived credentials. Instead, it should call a token vending service that issues short-lived tokens on demand. The vending service knows which agent is requesting access and what scope it needs.
class TokenVendor:
def issue_token(self, agent_id: str, resource: str, scope: list[str]) -> str:
# Check policy: does this agent have permission for this resource?
if not self.policy_engine.allows(agent_id, resource, scope):
raise PermissionDenied(f"Agent {agent_id} cannot access {resource}")
# Issue a short-lived token (5-15 minutes)
token = self.token_service.create(
subject=agent_id,
resource=resource,
scope=scope,
ttl=900 # 15 minutes
)
return token2. Agent-Scoped Identity
Each agent session gets a unique identity. This is not the user’s identity. It is a separate principal that appears in audit logs. When the agent calls Salesforce, the log shows “Agent session abc123 (acting for user Alice) updated the record.”
This requires your token vending service to mint tokens with dual identity: the agent ID and the user ID. The API provider sees both.
3. Credential Rotation Without Downtime
Because tokens are short-lived, you need a refresh strategy that does not block the agent. The pattern: request a new token 2 minutes before the current one expires. If the refresh fails, the agent can still complete its current operation.
class CredentialManager:
def __init__(self, vendor: TokenVendor, agent_id: str):
self.vendor = vendor
self.agent_id = agent_id
self.tokens = {}
self.refresh_threshold = 120 # 2 minutes
def get_token(self, resource: str, scope: list[str]) -> str:
cache_key = (resource, tuple(scope))
if cache_key in self.tokens:
token, expires_at = self.tokens[cache_key]
if time.time() < expires_at - self.refresh_threshold:
return token
# Token is about to expire, refresh in background
self._refresh_token(resource, scope)
# No valid token, issue a new one
token = self.vendor.issue_token(self.agent_id, resource, scope)
self.tokens[cache_key] = (token, time.time() + 900)
return tokenComparison: Authentication Patterns for Agents
| Pattern | Blast Radius | Audit Trail | Rotation | Context Leakage |
|---|---|---|---|---|
| Env vars | Entire runtime | User only | Requires restart | Low (if not logged) |
| OAuth user tokens | Per user | User only | Automatic | High (token in context) |
| Shared API keys | Entire runtime | Service account | Manual | High (key in context) |
| Capability tokens | Per agent session | Agent + user | Automatic | Low (token never in LLM context) |
Observability and Failure Modes
When you move to capability-based credentials, your observability stack needs to change. You are no longer tracking “API calls per user.” You are tracking “API calls per agent session, attributed to a user.”
Your traces should include:
- Agent session ID
- User ID (if acting on behalf of a user)
- Token scope
- Token expiration time
- Refresh events
Common failure modes:
Token expiration during long operations. If an agent starts a multi-step workflow and a token expires mid-flight, the operation fails. Solution: request tokens with TTL equal to your maximum expected workflow duration, or implement checkpointing so the agent can resume with a fresh token.
Policy drift. Your token vending service enforces policy at token issuance time. If you revoke an agent’s access to a resource, existing tokens remain valid until they expire. Solution: implement token revocation lists or use very short TTLs (5 minutes).
Vending service downtime. If your token vendor is unavailable, agents cannot get credentials. Solution: run the vendor as a sidecar in the same availability zone as your orchestrator, or cache tokens aggressively.
Deployment Shape
A production-grade agent credential system has four components:
- Policy engine. Stores rules about which agents can access which resources. Typically backed by OPA, Cedar, or a custom RBAC system.
- Token vending service. Issues ephemeral tokens. Runs as a separate service, not embedded in the orchestrator.
- Credential manager. Lives in the agent runtime. Requests tokens on demand and handles refresh.
- Audit sink. Collects all token issuance and API call events. Separate from application logs.
The orchestrator never sees long-lived credentials. It only sees ephemeral tokens that expire in minutes.
Technical Verdict
Use capability-based credentials if:
- Your agents call third-party APIs on behalf of users
- You need per-agent access control
- You need audit trails that distinguish agent actions from user actions
- Your agent sessions last longer than typical OAuth token lifetimes
Stick with environment variables if:
- You have a single agent with a fixed set of permissions
- You are prototyping and do not care about audit trails
- Your agent only calls internal services that do not require user-scoped access
The handoff problem is not theoretical. Every enterprise agent that calls Salesforce, Jira, or Slack on behalf of users is either leaking credentials into logs, granting excessive permissions, or losing audit trail fidelity. Capability tokens fix all three.