docs/documentation/platform/agent-proxy/quickstart.mdx
This guide walks through brokering a credential end to end: you will create a proxied service, start an agent proxy, and launch an agent whose API calls get real credentials applied on the wire, without the agent ever holding them.
<ParamField path="Service Name" type="string" required>
A slug that identifies the service, such as `stripe-api`.
</ParamField>
<ParamField path="Host Pattern" type="string" required>
The host(s) this service applies to, such as `api.stripe.com`. See [host patterns](/documentation/platform/agent-proxy/proxied-services#host-patterns) for wildcards, ports, and paths.
</ParamField>
Under **Header Rewriting**, keep the pre-filled `Authorization` header with the `Bearer` prefix and select `STRIPE_API_KEY` as the value. This tells the agent proxy to set `Authorization: Bearer <real-stripe-key>` on every request to `api.stripe.com`.
See [Proxied Services](/documentation/platform/agent-proxy/proxied-services) for basic auth, custom headers, and credential substitution.
1. **Agent proxy identity**: it fetches the real credential values, so grant it `Read Value` and `Describe Secret` on the **Secrets** its services reference.
2. **Agent identity**: it routes traffic through proxied services but should not read any secret values, so grant it only `Proxy` on **Proxied Services**.
<Note>
Grant these permissions with a [custom role](/documentation/platform/access-controls/role-based-access-controls) or an [additional privilege](/documentation/platform/access-controls/additional-privileges) on each identity, scoped to the specific environments and paths you need. Running more than one agent? See [how many machine identities you need](/documentation/platform/agent-proxy/security#how-many-machine-identities-do-you-need).
</Note>
```bash
export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID=<agent-proxy-client-id>
export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET=<agent-proxy-client-secret>
infisical secrets agent-proxy start
```
The proxy authenticates to Infisical, sets up its certificate chain, and listens on port `17322` by default. See the [CLI reference](/cli/commands/agent-proxy) for flags such as `--port` and `--unmatched-host`.
<Note>
If you are self-hosting Infisical or using EU Cloud, point the CLI at your instance with `--domain` or the `INFISICAL_DOMAIN` environment variable (for example `https://eu.infisical.com`).
</Note>
```bash
export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID=<agent-client-id>
export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET=<agent-client-secret>
```
<Tabs>
<Tab title="Claude Code">
```bash
infisical secrets agent-proxy connect --proxy=<proxy-host>:17322 \
--projectId=<project-id> --env=prod --path=/ai-agents -- claude
```
</Tab>
<Tab title="Codex">
```bash
infisical secrets agent-proxy connect --proxy=<proxy-host>:17322 \
--projectId=<project-id> --env=prod --path=/ai-agents -- codex
```
</Tab>
<Tab title="Any command">
```bash
infisical secrets agent-proxy connect --proxy=<proxy-host>:17322 \
--projectId=<project-id> --env=prod --path=/ai-agents -- <your-agent-command>
```
</Tab>
</Tabs>
Before starting the agent, the wrapper:
- Routes the agent's traffic through the agent proxy (`HTTPS_PROXY`, `HTTP_PROXY`).
- Downloads your organization's root CA certificate and points the common trust variables (`SSL_CERT_FILE`, `NODE_EXTRA_CA_CERTS`, `REQUESTS_CA_BUNDLE`, `CURL_CA_BUNDLE`, and others) at it, so the agent's HTTP clients accept the proxy's certificates.
- Sets dummy placeholder environment variables for any credential-substitution services.
- Sets environment variables with real values for regular secrets the agent identity has **Read Value** on in the folder (including secrets imported into it), similar to `infisical run`.
<Note>
Real values in the agent's environment are deliberate and opt-in. When the agent identity has only the proxy permission and no secret read access, nothing real lands in the environment unless an admin explicitly grants **Read Value** on specific secrets. Brokered credentials never appear in the agent's environment; the proxy only attaches them on the wire.
</Note>
The project can also be set via `INFISICAL_PROJECT_ID` or an `.infisical.json` file (created by `infisical init`) instead of `--projectId`.
```bash
infisical secrets agent-proxy connect --proxy=<proxy-host>:17322 \
--projectId=<project-id> --env=prod --path=/ai-agents -- \
curl https://postman-echo.com/headers
```
The echoed headers include `"authorization": "Bearer <your TEST_API_KEY value>"`. `curl` sent no credential; the proxy attached it on the way out. The same happens to `api.stripe.com` with the service from step 2. Requests to hosts with no proxied service are forwarded untouched by default (see [unmatched hosts](/documentation/platform/agent-proxy/security#unmatched-hosts)).