The credential problem with AI agents
When a developer calls an API, the credential stays where it was put: in config, in a secret manager, on a developer machine. When an AI agent calls an API, the credential travels with it into context windows, memory layers, tool configurations, and session logs. It gets serialised by the model, repeated in outputs, and becomes reachable by prompt injection. The attack surface is not a server; it is every session the agent touches.
The fix is not better secret hygiene. It is a different architecture.
KeyRunner is the agent tool server that converts enterprise APIs into credential-safe, MCP-compatible agent tools. Agents discover and call governed actions via a standard MCP-compatible client. They never see the underlying endpoint, the auth scheme, or the secret. KeyRunner resolves the credential at runtime, executes the request, strips sensitive data from the response, and logs every execution.
Agents should get actions, not credentials.
Why raw API keys fail for agentic workloads
The default approach: give the agent a key, wire it into a tool, let the agent call the API directly. It fails in production for five reasons:
- Credentials travel with context. API keys in system prompts, tool configs, or environment variables get logged, versioned, and serialised into agent memory in ways that are difficult to control or audit.
- There is no per-action policy. A key grants whatever the API allows. One misconfigured tool can give an agent far broader access than intended.
- Response data reaches the model unfiltered. Whatever the API returns (SSNs, health records, card numbers, internal tokens) the model processes it. There is no layer to strip sensitive data before it enters the agent context.
- Audit trails are incomplete. API logs tell you a call happened. They do not tell you which agent made it, from which session, with which parameters, or what the policy decision was.
- Rotation is a manual crisis. Change a credential and you have to find and update every agent configuration that references it.
The right architecture: convert APIs into governed agent tools
The Model Context Protocol (MCP) gives agents a standard interface for tool invocation. But MCP alone does not solve the credential problem. A basic MCP proxy that wraps API calls still needs credentials, and someone still has to put them somewhere the server can reach. It is better than raw keys in agent context, but it still does not provide secret isolation for AI agents, response redaction, or per-agent access policy.
The architecture that works is converting enterprise APIs into governed, credential-safe MCP-compatible agent tools, backed by a runtime that handles credential resolution, policy enforcement, response redaction, and audit logging. That is the gap between a basic MCP proxy and an agent tool server built for enterprise use.
KeyRunner is that layer. It sits between your agents and your enterprise APIs, converting OpenAPI specs into governed, auditable tools that agents can call without ever touching a secret.
How KeyRunner converts enterprise APIs into agent tools
Converting enterprise APIs into MCP tools with KeyRunner is a four-step process:
- Import your OpenAPI spec. KeyRunner reads your API definition and converts each endpoint into a named, governed tool. OpenAPI to MCP conversion is automatic. No changes to the downstream service are required.
- Set policy and credential bindings. Define which agent roles may call which tools and under what conditions. Bind each tool to a credential in your existing secret store (HashiCorp Vault, 1Password, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager).
- Define response redaction rules. Specify which fields to strip from API responses before the agent receives them: PII, PHI, PCI data, internal tokens, any sensitive field pattern your compliance team identifies.
- Agents connect and call tools. Using an MCP-compatible client and the KeyRunner SDK, agents discover available tools, call them by name, and receive governed responses. They never see the credential or the raw API response.
At runtime, when an agent calls a tool: KeyRunner validates the call against policy, fetches the credential from your secret store, executes the API request, redacts sensitive fields from the response, returns clean output to the agent, and writes an audit log entry. The credential is resolved within the runtime boundary and never passed to the agent.