← Back to patterns
build

How Anthropic Secures Agent Credentials with Proxy Isolation

TRIGGER

Cloud-hosted AI agents need to interact with external services like GitHub on behalf of users, but placing authentication tokens inside the agent's execution environment means a compromised agent can exfiltrate or misuse those credentials—the attack surface includes the credential itself, not just what the agent does with it.

APPROACH

Anthropic's Claude Code on the web runs each session in an isolated cloud sandbox where sensitive credentials (git tokens, signing keys) are never present inside the sandbox. A custom proxy service outside the sandbox handles all git interactions. Inside the sandbox, git authenticates to the proxy with a scoped credential. The proxy verifies this credential AND validates the git operation semantics (e.g., ensuring pushes only go to the configured branch), then attaches the real authentication token before forwarding to GitHub.

PATTERN

A scoped token inside the agent sandbox is still a stealable token. Keep real credentials in a proxy outside the trust boundary; the agent authenticates to the proxy, the proxy authenticates to GitHub. Blast radius shrinks from credential exfiltration to unauthorized operations within proxy rules.

WORKS WHEN

  • Agent interacts with external services through well-defined protocols (git, HTTP APIs)
  • Operations can be semantically validated (branch restrictions, read-only scopes, rate limits)
  • Proxy can be deployed outside the agent's trust boundary (separate process, separate host)
  • Credential scope is narrower than full service access (per-repo vs org-wide, specific branches)
  • Service interactions are request-response, not long-lived connections requiring persistent auth

FAILS WHEN

  • Agent needs credentials for services without proxy-able protocols (binary protocols, proprietary SDKs)
  • Semantic validation of operations is impossible or too complex (free-form API calls)
  • Latency overhead of proxy hop is unacceptable for high-frequency operations
  • Agent legitimately needs full credential scope with no meaningful restrictions possible
  • Running a separate proxy service adds unacceptable operational complexity for the deployment model

Stage

build

From

October 2025

Previous patternNext pattern

Want patterns like this in your inbox?

3 patterns weekly. No fluff.