Feature request: native secret injection in Managed Agents sessions (beyond MCP OAuth vault)
Problem
When using Managed Agents, the only way to pass credentials (API keys, bearer tokens) to an agent is by embedding them in the \user.message\ body of the session. The vault mechanism exists but only injects credentials into MCP server OAuth flows — it does not support arbitrary secrets for non-MCP integrations.
As a result, every token passed to the agent is visible in plain text via \sessions.threads.events.list()\ to anyone with the Anthropic API key. These values are stored in Anthropic's infrastructure for the duration of the session.
Confirmed exposure surface: \NR_API_KEY\, \SLACK_TOKEN\, \GITHUB_TOKEN\, and \ATLASSIAN_TOKEN\ all appear verbatim in \user.message\ and \agent.thinking\ session events. This blocks production use for integrations that are not MCP-based.
Expected behavior
\sessions.create()\ should support a \secrets\ parameter — similar to \vault_ids\ but for arbitrary key/value pairs — that injects values into the agent's runtime context without them ever appearing in the conversation history or event log:
\\\python\
session = client.beta.sessions.create(
agent=agent_id,
environment_id=env_id,
vault_ids=[...], # existing: MCP OAuth
secrets={ # new: arbitrary runtime secrets
"NR_API_KEY": "...",
"SLACK_TOKEN": "...",
"GITHUB_TOKEN": "...",
"ATLASSIAN_TOKEN": "...",
},
betas=["managed-agents-2026-04-01"],
)
\\
The agent would reference these values (e.g., \$NR_API_KEY\) without the literal values ever entering the message context or being retrievable via the events API.
Current workaround
Pass all tokens as plain text in the \user.message\ body:
\\\python\
client.beta.sessions.events.send(
session.id,
events=[{
"type": "user.message",
"content": [{"type": "text", "text": "NR_API_KEY: sk-...\nSLACK_TOKEN: xoxb-..."}]
}],
betas=["managed-agents-2026-04-01"],
)
\\
This works but:
- Tokens are stored unencrypted in session event history
- Retrievable by any caller with the Anthropic API key via \
sessions.threads.events.list()\ - Requires rotating all tokens if the Anthropic API key is compromised
- Forces teams to treat many unrelated credentials as equally sensitive as the API key itself
- Not viable for regulated environments or integrations with sensitive financial APIs
Context
We are running SRE automation at RecargaPay using Managed Agents to trigger incident analysis, create Jira issues, and open GitHub PRs. Our agent integrates with New Relic, Slack, GitHub, and Jira — none of which use MCP OAuth. The vault solves nothing for these integrations today.
Happy to test any beta implementation of secret injection.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗