# Why your AI agent shouldn't have your API keys > Handing an AI agent a raw API key gives it permanent, unscoped, unauditable access to your accounts. Here's the risk — and what to do instead. Published: 2026-06-14 · Edwin Sebastian Tags: agent-security, governance, api-keys Canonical: https://agentvalet.ai/blog/why-your-ai-agent-shouldnt-have-your-api-keys.html --- You wired up an AI agent last week. To let it do real work — file a ticket, send an email, pull a report — you did the obvious thing: you pasted an API key into its config. It worked. The agent got things done. But you just handed a non-deterministic program a credential that, in most systems, means *full access, forever, with no record of who did what.* That trade is worth a second look before you do it again. ## What an API key actually grants An API key is a bearer token. Whoever holds it *is* you, as far as the platform is concerned. That has three properties that are fine for a backend service and dangerous for an autonomous agent: - **It's unscoped.** Most keys carry the full permissions of the account that minted them. A key meant for "read my calendar" can usually also delete it. The agent doesn't need that power; the key grants it anyway. - **It's permanent.** Keys don't expire on their own. If the agent is compromised — a prompt injection, a poisoned tool result, a leaked log — the attacker has the key until *you* notice and rotate it. Agents fail in novel ways, and they fail quietly. - **It's unauditable.** When the platform logs the action, it sees the key, not the agent. You can't answer "which agent did this, on whose behalf, and was it allowed?" because the key erased that distinction the moment you handed it over. For a human, you'd never accept this. People get scoped roles, SSO, approval steps for risky actions, and an audit trail. Agents have been getting raw keys because it was the fastest way to make them work — not because it was safe. ## Why agents make this worse than normal A traditional integration does the same thing every time. An agent decides what to do at runtime, based on text it was given — some of which may come from the open internet or from another system you don't control. That means the *instructions* an agent follows are an attack surface, and the API key is the blast radius. If a malicious document can talk your agent into calling a tool, then whatever that tool can reach, the attacker can reach. Scope the credential down and the worst case shrinks. Leave it as a full-access key and the worst case is your whole account. ## What to do instead The fix isn't "don't use agents." It's "don't let the agent hold the secret." A few principles get you most of the way: 1. **Put a broker between the agent and the platform.** The agent asks the broker to perform an action; the broker holds the real credential and makes the call. The secret never lands in the agent's context, its config, or its logs. 2. **Scope every grant to the action.** Give the agent permission to *send a Slack message in #support*, not "Slack." Deny by default; allow specific actions explicitly. 3. **Require approval for the irreversible stuff.** Reading data can be automatic. Spending money, deleting records, emailing customers — route those through a human who clicks "approve," with the request shown in plain language. 4. **Give the agent its own identity.** When every call is attributed to a specific agent acting for a specific person, your audit log finally answers the question that matters: *who did this, and were they allowed to?* 5. **Make revocation instant.** If an agent misbehaves, you should be able to cut its access in one place — without rotating a key that ten other things depend on. ## The shift underneath all of this Stop trying to make the agent trustworthy enough to hold a master key. Assume it can be fooled, and put the controls where you actually have leverage: between the agent and the world. Trust the broker, not the agent. That's the model AgentValet is built on — scoped, identity-bound, human-gated, fully audited access for AI agents, with the real credentials kept in a vault the agent never sees. If you're handing agents API keys today, that's the habit worth replacing first.