Secret Management: How agents get API keys without seeing them

You described a "Credential Broker" pattern — here are 3 ways to implement it

A

Outbound Auth Proxy (Recommended)

A lightweight HTTP proxy runs on the host (outside sandbox). The sandbox's network namespace routes all outbound HTTPS through it.

  • Proxy matches destination domain (e.g. api.nvidia.com) → looks up the stored key
  • Proxy injects the Authorization: Bearer xxx header automatically
  • Agent makes requests with no API key at all
  • Works with any agent — no code changes needed
  • Can also log, rate-limit, and revoke access per-provider
  • ~100 lines of Python using mitmproxy or httpx
B

Secret Socket (Unix Domain Socket)

Host bind-mounts a Unix socket into the sandbox. Agent sends "call NIM with this payload" to the socket. Host-side broker adds credentials and makes the real HTTP call.

  • Agent never sees the key — only sends payloads
  • Requires agents to know about the socket protocol
  • More custom code than the proxy approach
C

MCP Server

An MCP server on the host exposes tools like call_provider(provider, messages). Agent uses MCP tool calls instead of direct HTTP.

  • Clean separation via standard protocol
  • Requires agents to use MCP (not all do)
  • More overhead than a transparent proxy

How Option A Works (Recommended)

Architecture: Outbound Auth Proxy
SANDBOX (Citadel)
Agent → HTTP request (no auth header)
     → routed through network namespace
     → hits host proxy at 172.17.0.1:9090
HOST (outside sandbox)
Auth Proxy (:9090)
  ├─ matches domain → provider
  ├─ loads key from /etc/hermes/secrets/
  ├─ injects Authorization header
  └─ forwards request to real API
/etc/hermes/secrets/ (0600, root-owned)
  ├─ nim.key
  ├─ openrouter.key
  └─ anthropic.key

What this means for the dashboard

The Settings page manages keys on the host side (writes to /etc/hermes/secrets/). The proxy config maps domains to keys. Agents and chat inside the sandbox just make normal HTTP requests — credentials get injected automatically. If an agent is compromised, it can make API calls but can never extract the keys.