Keep API Keys Out of Chat: Secret-Safe Coding Agents

Safe Secret Handling for Coding Agents

This post explains the secure handling of secrets (API keys, credentials, tokens) when working with coding agents—tools like GitHub Copilot, Codex, or Cursor. I'll cover why traditional ways of managing secrets aren’t safe when working with these agents, the potential security risks involved, and how we’ve approached solving this using Model Context Protocol (MCP) integrated with Delinea Secret Server. This isn't a deep dive into security theory, but rather a practical guide to addressing a real-world problem that many developers face today. 

Table of Contents:

• The Problem: Why Secrets and Coding Agents Don’t Mix Well
• Existing Methods and Their Shortcomings
• Our Approach: MCP and Secret Server on the Delinea Platform
• Step-by-step: How Does It Work?
• Bonus Security Features
• Closing Thoughts

Recently, I’ve been using more coding assistants like Copilot and Codex to streamline my development workflows. These tools are great for automating repetitive tasks, debugging production code, or running integration tests. But here’s the issue—many of these tasks require access to sensitive information (API keys, database credentials, etc.). I quickly noticed that there isn’t a secure way for these coding agents to access secrets without risking leakage through chat logs, shell histories, or saved files.

I’m writing this post because I couldn’t find any public clear, practical advice on safely integrating secrets with coding agents, nor an easy-to-follow explanation on this topic. So here’s what I’ve come up with.

The problem: Why secrets and coding agents don’t mix well

The common scenarios where agents need secrets include:

• Integration tests: eg, accessing DB connection strings, testing API keys.
• Production (or Dev/Test) debugging: eg, Kubernetes credentials, JWT tokens.
• Deployments and hotfixes: eg, Docker registry credentials, NPM tokens.
• On-call troubleshooting: eg, Slack bot tokens, PagerDuty API keys, AWS keys.

Today, developers typically paste secrets directly into the chat interface or keep them in files that agents can read. However, this introduces multiple security issues:

1. Permanent exposure: Anything pasted into an agent’s interface might be stored indefinitely by the provider for training or auditing, risking eventual leakage.
2. Accidental leaks: Secrets stored on disk or in shell history can easily be committed or shared unintentionally.
3. Training set pollution: Past incidents (like Samsung’s leaked source code via ChatGPT) have demonstrated the real risk of sensitive information resurfacing unexpectedly.

Clearly, we need a better approach.

Existing methods and their shortcomings

Commonly used approaches include:

• .env files: Still stored on disk and easy to accidentally commit.
• Environment variables: Often set manually, leaving traces in shell history.
• Secure “paste-once” widgets: Only work within specific UIs, limiting CLI and CI/CD workflows.

These methods lack proper audit trails, automatic rotation, and the dynamic control needed in modern workflows involving coding agents.

Our approach: MCP and the Delinea Platform

We’ve built a bridge called MCP—Model Context Protocol—that allows coding agents to securely fetch secrets from Secret Server – the vaulting capability on the Delinea Platform – avoiding any persistent traces.

Here’s how it works at a high level:

1. The coding agent requests a secret.
2. MCP authenticates using your existing permissions and issues an ephemeral (short-lived) session key.
3. MCP generates a secure script snippet that uses this session key (no plaintext secret yet).
4. The coding agent runs the snippet, fetching the secret directly into memory without touching disk or logs.
5. After completing the task, the agent runs a cleanup command to remove the secret from memory.
   
   

Step-by-step: How does it work?

Here's a practical breakdown of the process:

Step 1: Agent requests secret

get_secret_environment_variable("db/prod", "bash")

Step 2: MCP authentication

MCP uses the developer’s existing SSO/MFA to authenticate the request and returns an ephemeral session key.

Step 3: Script generation

MCP generates a shell script containing the ephemeral key. Here’s an illustrative approximation of how the generated command looks:

# Approximation—not actual generated command
export DB_PASS=$(curl -s "https://mcp/api/secret/db/prod" \
     - - header "Authorization: Bearer <ephemeral-session-key>" | jq -r
'.password')

(Note: The actual command securely generated by MCP may differ in format, but this captures the essence.)

Step 4: Secret fetch at runtime

When the agent runs the command, the secret is fetched directly into an environment variable. The only temporary log entry is the short-lived session key, never the secret itself.

Step 5: Cleanup

Once done, the agent runs the provided command to clear the secret from memory immediately:

unset DB_PASS

Bonus security features

Using MCP + Secret Server offers:

• Full audit trails: Every secret fetch is logged and tracked centrally.
• Automatic secret rotation: Reduce manual overhead and enhance security.
• AI driven Just-in-Time (JIT) approvals: Integrate Delinea Authorization powered by Iris AI for automated, context-aware approval of secret requests. 

My closing thoughts

Integrating coding agents into our workflow is powerful, but handling sensitive credentials carelessly can expose us to significant risk. By using MCP and Secret Server on the Delinea Platform, we’ve created a practical solution that allows agents to safely fetch secrets without compromising security. This approach keeps auditors happy, ensures compliance, and significantly reduces the risk surface.

The complete implementation and more detailed documentation are available on GitHub. If you have suggestions, improvements, or questions, please feel free to open a pull request or reach out directly.

Let me know your thoughts or questions—you can find me @gal_diskin on Twitter or @D1skin (and also @Disk1n) on GitHub.