Ask HN: Do you trust AI agents with API keys / private keys?

17 points by devendra116 ↗ HN
are you ok sharing secrets or api keys to you ai agent via .env?

or is there any other tool or mechanism that one use to safegaurd from potential exploit or leaks

21 comments

[ 1.9 ms ] story [ 50.4 ms ] thread
nope. too dangerous - i'm personally working for an agent project and i know from personal experience they do collect your session log - especially in china lol. one approach i use for my own agent is that to use keyring to store all secrets. agent will call a tool to request for it, and it will be something like <secret:gmail.password>. the substitution happens at tool execution time so the llm never sees or logs the actual value.
As a precaution I would probably never pass secrets directly to the agent at all. Something like a placeholder format where the actual substitution happens at execution time so the LLM never sees the real value. Keeps things cleaner if something ever goes wrong.
Like everything else. You don't share you private, personal data, credit card numbers with the rest of the world, just like that. ;)
I wanted to ask almost this question, then saw that it is on #1 right now.

My use case is ssh. I would like to stick my private key into a local Docker container, have a ssh-identical cli that reverse proxies into the container, and have some rules about what ssh commands the container may proxy or not.

Does anyone know of something like this?

i am okay, i trust that they have great guards to prevent leak any api
I share with gemini, claude and openai.

If I get my stuff hacked (because I use a machine with nothing else on it other than coding agents) I'll know these services are not removing my personal info from their logs.

I don't operate chinese models where my high value api keys are.

It's pretty hard to debug stuff without using real api keys, service accounts etc...otjerwise

The only private key that my agents have access to are temporary AWS access keys to a dev environment with decently locked down permissions.

I let it troubleshoot my web code using a temporary JWT in a dev environment using headless chrome and Puppeteer in a Docker container.

Everything else is in AWS Secrets Manager inaccessible by the IAM role the agent has access to.

I don’t store the temporary AWS keys in a file anywhere. They are in environment variables. All AWS SDKs and the CLI look in the environment variables by default.

I sure as hell don’t store API keys anywhere on my local computer.

Why not treat them like other users? Give them some sort of indirect access like Antiphony. Give them their own keys that you can rotate and revoke. If you're worried about leaks, you might as well run it "self-hosted" like on Bedrock.
Absolutely not, and if you do this then please please rotate keys every day or two.
Instead of sharing it directly I like to put in in a .env file.

Then simply I tell to the AI to just import from the .env file and do not read from the file.

Honestly, best solution is to use native CSP solutions like AWS Secrets Manager, AWS SSM Parameter Store, GCP Secret Manager, Terraform Vault.

All these have native audit logs and access logs, which can help you pin point exactly when did your AI Agent requested and accessed your secrets at Runtime.

Most of this thread is about protecting keys on a single developer's machine, but the problem gets way harder when you're managing credentials across customer tenants... env vars and secrets managers don't solve the orchestration problem as much the storage problem. The hard part is making sure the right token gets used for the right customer's API call at the right time without any cross-tenant leakage.
As others already pointed out, there are alternatives of .env files. Although, I'm not very concerned about having temporary access keys to development environments stored in .env files. The agents should not be dealing with secrets directly though.
You will probably like varlock - it helps get your keys out of plaintext, while giving your agents a schema and additional tools so it can interact with env vars safely. The next step is injecting your keys via proxy, but just varlock is a huge improvement as a first step. Generally provides a ton of quality of live improvements as well, whether working solo or on a team.
if a agent has the keys in the same process, it can easily extract them
Totally - the only completely safe way is to inject keys in a proxy and keep them out of the process. But getting them totally out of plaintext is a great first step, both to keep it from AI and malicious scripts that are looking for keys.
No, never! Add a proper gitignore, put instructions in CLAUDE.md, AGENTS.md to NEVER read env files. Add pre- and post-hooks in Claude Code to prevent it from reading env files.

Best yet - never keep sensitive data locally on your machine in plaintext