docs/documentation/platform/agent-proxy/overview.mdx
You want an AI agent to do real work: push code, file tickets, call external APIs. That work needs credentials, and the Infisical Agent Proxy lets the agent do all of it without ever being handed one.
It works like this: the agent makes an API call with no real credential (or a dummy placeholder, where one is expected). On its way out, the request passes through the agent proxy. The proxy attaches the real credential and forwards the request to the API. The API sees a normal authenticated call. The agent never saw the key, so there is nothing to leak.
A credential that enters an untrusted code execution environment is exposed in more ways than one:
Brokered credentials sidestep all of it: they cannot be exfiltrated, logged, or memorized from inside the agent, they only work through the proxy for the services you configured, and an agent's access can be revoked centrally at any time.
<Note> The agent proxy is not limited to AI agents. Any untrusted code execution environment that respects an HTTP proxy can run behind it, with no code changes. </Note>flowchart LR
A[Agent] -->|request without real credentials| B[Agent Proxy]
B -->|real credentials applied on the wire| C[External Service]
B <-->|fetches configs + secrets| D[Infisical]
api.stripe.com get STRIPE_API_KEY as a Bearer token".infisical secrets agent-proxy start.infisical secrets agent-proxy connect -- claude. The wrapper points the agent's traffic at the proxy and starts it. The agent holds none of the brokered credentials, and has no idea any of this is happening.Now the agent calls api.stripe.com. The proxy adds the real STRIPE_API_KEY and forwards the request. Stripe sees a normal authenticated call.
Standalone credential proxies manage their own keys, users, and permissions in isolation, so you end up running a second secrets manager just for your agents. The agent proxy is different: brokered credentials are ordinary Infisical secrets, so everything the platform does applies to them with zero extra setup.
<CardGroup cols={2}> <Card title="Secret Rotation" icon="rotate" href="/documentation/platform/secret-rotation/overview"> Rotate brokered credentials on a schedule. The proxy applies the new value within a minute, with no agent restart and no agent awareness. </Card> <Card title="Dynamic Secrets" icon="bolt" href="/documentation/platform/dynamic-secrets/overview"> Generate short-lived, per-use credentials on demand for databases, clouds, Kubernetes, and more, so there is no long-lived key to steal in the first place. </Card> <Card title="Approval Workflows" icon="check-double" href="/documentation/platform/pr-workflows"> Require a review before a brokered credential changes, exactly like a code change. </Card> <Card title="Audit Logs" icon="scroll" href="/documentation/platform/audit-logs"> A complete trail of everything around your proxied services, from configuration changes to activity. </Card> <Card title="Access Controls" icon="user-lock" href="/documentation/platform/access-controls/role-based-access-controls"> Scope each agent identity to exactly the environments, paths, and services it should reach. </Card> <Card title="Versioning & Recovery" icon="clock-rotate-left" href="/documentation/platform/secret-versioning"> Every brokered credential keeps its full version history, with point-in-time recovery. </Card> </CardGroup>