Feature request: native secret injection in Managed Agents sessions (beyond MCP OAuth vault)

Resolved 💬 2 comments Opened May 14, 2026 by RP-reinaldocunha Closed May 17, 2026

Problem

When using Managed Agents, the only way to pass credentials (API keys, bearer tokens) to an agent is by embedding them in the \user.message\ body of the session. The vault mechanism exists but only injects credentials into MCP server OAuth flows — it does not support arbitrary secrets for non-MCP integrations.

As a result, every token passed to the agent is visible in plain text via \sessions.threads.events.list()\ to anyone with the Anthropic API key. These values are stored in Anthropic's infrastructure for the duration of the session.

Confirmed exposure surface: \NR_API_KEY\, \SLACK_TOKEN\, \GITHUB_TOKEN\, and \ATLASSIAN_TOKEN\ all appear verbatim in \user.message\ and \agent.thinking\ session events. This blocks production use for integrations that are not MCP-based.

Expected behavior

\sessions.create()\ should support a \secrets\ parameter — similar to \vault_ids\ but for arbitrary key/value pairs — that injects values into the agent's runtime context without them ever appearing in the conversation history or event log:

\\\python
session = client.beta.sessions.create(
agent=agent_id,
environment_id=env_id,
vault_ids=[...], # existing: MCP OAuth
secrets={ # new: arbitrary runtime secrets
"NR_API_KEY": "...",
"SLACK_TOKEN": "...",
"GITHUB_TOKEN": "...",
"ATLASSIAN_TOKEN": "...",
},
betas=["managed-agents-2026-04-01"],
)
\
\\

The agent would reference these values (e.g., \$NR_API_KEY\) without the literal values ever entering the message context or being retrievable via the events API.

Current workaround

Pass all tokens as plain text in the \user.message\ body:

\\\python
client.beta.sessions.events.send(
session.id,
events=[{
"type": "user.message",
"content": [{"type": "text", "text": "NR_API_KEY: sk-...\nSLACK_TOKEN: xoxb-..."}]
}],
betas=["managed-agents-2026-04-01"],
)
\
\\

This works but:

  • Tokens are stored unencrypted in session event history
  • Retrievable by any caller with the Anthropic API key via \sessions.threads.events.list()\
  • Requires rotating all tokens if the Anthropic API key is compromised
  • Forces teams to treat many unrelated credentials as equally sensitive as the API key itself
  • Not viable for regulated environments or integrations with sensitive financial APIs

Context

We are running SRE automation at RecargaPay using Managed Agents to trigger incident analysis, create Jira issues, and open GitHub PRs. Our agent integrates with New Relic, Slack, GitHub, and Jira — none of which use MCP OAuth. The vault solves nothing for these integrations today.

Happy to test any beta implementation of secret injection.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗