Skip to content

Stop AI Agents From Sharing Credentials
Like Humans Share Passwords

Enterprises deploying multi-agent systems face a critical gap: how to let Agent A safely delegate credentials to Agent B without granting permanent access.

Palo Alto Networks Unit 42 (2025) just identified "Agent Session Smuggling" as a critical vulnerability. Their recommended defense—cryptographically signed agent credentials—is exactly what we provide.

Read the Technical Deep Dive Star on GitHub

Our Approach

Capability-based security from operating systems, applied to AI agent orchestration

Phase 1 • MVP

Secure Credential Storage

Where do enterprises securely store API keys, OAuth tokens, and database credentials that AI agents need?

  • Encrypted secret storage
  • Basic audit logging
  • MCP integration
KEY DIFFERENTIATOR
Phase 2 • Q2 2026

Agent Delegation

How to let Agent A safely share credentials with Agent B without granting permanent access?

  • Cryptographic capability derivation
  • Send-once nonce enforcement
  • Progressive privilege attenuation
Phase 3 • Q4 2026

Auto-Attenuation

Automatically compute minimal permissions from agent task descriptions using LLM-powered reasoning.

  • Agent Card auto-parsing
  • Context-aware constraints
  • Reasoning audit trail

Here's How It Actually Works

Instead of sharing passwords that can be copied infinitely, capabilities work like cryptographically signed tickets that expire and progressively lose power as they're delegated.

How Agents Delegate Capabilities

🏢
Root Orchestrator
Full Access
interfaces: ["database:*", "api:*"]
max_uses: unlimited
attenuate()
🔬
Research Agent
Read Only
interfaces: ["database:read"]
resources: ["customers", "transactions"]
max_uses: 100
attenuate()
📊
Analysis Agent
Minimal Access
interfaces: ["database:read"]
resources: ["transactions"] ← subset only
max_uses: 10 ← fewer uses
expires_in: 30m ← shorter expiry

🛡️ Security Guarantees

  • Progressive Attenuation: Child capabilities always have fewer permissions
  • Cryptographically Unforgeable: Ed25519 signatures prevent tampering
  • Limited Use: Tokens expire after N uses, preventing replay attacks
  • Audit Trail: Complete delegation chain cryptographically provable

Why This Beats OAuth & Bearer Tokens

Bearer tokens are like photocopies — anyone with a copy has full access. Capabilities are like cryptographically signed tickets that can't be forged. Let's compare how they handle agent delegation.

Traditional Auth vs. Capability-Based Security

See how capability-based security prevents the vulnerabilities inherent in bearer token systems

❌ OAuth / Bearer Tokens

Vulnerable to Session Smuggling
🔑
Auth Server Issues Token
Bearer eyJhbGci...
🤖
Agent A (Full Access)
Uses token: unlimited reuse
Shares same token
🤖
Agent B (Full Access)
Same token = same power!
🚨 Critical Vulnerabilities
  • Token can be replayed 1000s of times
  • Stolen credentials = full access
  • No way to limit uses
  • Can't prove delegation chain
  • Requires online auth server

✅ Capability-Based Security

Session Smuggling Prevented
🏢
Root Capability
database:*, api:*, unlimited
🔬
Agent A (Read Only)
database:read, max_uses: 100
Creates restricted child
📊
Agent B (Minimal)
1 table, max_uses: 10, 30m
🛡️ Security Guarantees
  • Limited use enforcement (10 uses → dead)
  • Stolen token = minimal blast radius
  • Ed25519 signatures prevent forgery
  • Provable delegation chain
  • Offline cryptographic verification
💡

The Key Difference

Bearer tokens are like photocopies — anyone with a copy has full access. Capabilities are like cryptographically signed tickets — they expire, can't be forged, and progressively lose power as they're delegated.

The Magic: Progressive Privilege Reduction

Each time a capability is delegated, permissions automatically reduce. Watch how a root capability becomes progressively weaker—and why attackers can't reverse this process.

Progressive Privilege Attenuation

Watch how permissions automatically reduce as capabilities are delegated down the chain

Level 0: Root 🔥 100% Power
👑 Root Capability
Interfaces:
database:read database:write database:delete api:execute
Resources:
* (all)
Max Uses: ∞ Unlimited
Expires: Never
capability.attenuate(...)
Level 1: Agent A ⚡ 50% Power
🔬 Research Agent Capability
Interfaces:
database:read database:write database:delete api:execute
Resources:
customers transactions
Max Uses: 100
Expires: 1 hour
⬇️ Reduced: Removed write/delete, limited resources, capped uses
capability.attenuate(...)
Level 2: Agent B 💨 25% Power
📊 Analysis Agent Capability
Interfaces:
database:read database:write database:delete api:execute
Resources:
customers transactions
Max Uses: 10
Expires: 30 minutes
⬇️ Further Reduced: Single table, 90% fewer uses, shorter expiry
🚫

Cannot Escalate Privileges

If Agent B tries to create a capability with MORE permissions:

child.attenuate({
  interfaces: ["database:write"], // ❌ Not in parent!
  max_uses: 1000 // ❌ More than parent!
})
→ Error: AttenuationViolationError
🛡️ Mathematical Guarantee: Child permissions ⊆ Parent permissions (set theory)

⚖️ The Principle of Least Privilege

Each agent receives only the minimum permissions needed for its specific task. As capabilities flow down the delegation chain, they can only become more restrictive, never more permissive. This prevents privilege escalation attacks at the cryptographic level.

Why Existing Solutions Fail

❌ OAuth / Keycard

Bearer tokens can be replayed if exfiltrated. No cryptographic send-once guarantees.

❌ Secret Managers (Vault, AWS)

Not agent-aware. Can't track per-agent access. No support for delegation between agents.

❌ Proxy Services (Multifactor, Aembit)

Centralized bottleneck. Bearer tokens still vulnerable to session smuggling attacks.

❌ Environment Variables

Insecure plaintext storage. No audit trail. All agents get same access level.

Learn how Amla prevents session smuggling attacks →

Even If Stolen, Capabilities Can't Be Exploited

Let's replay the Palo Alto attack scenario with capabilities and watch it fail at multiple independent security layers.

Scroll through each defense layer to see how the attack is neutralized at every step.

Defense in Depth: How Attacks Are Stopped

Even if an attacker steals a capability, multiple independent security layers prevent exploitation

🦹
Attack Scenario
Malicious agent steals capability token
💰 Attacker Exfiltrates Capability
capability_token = "Ey6hYWxnI..."
// max_uses: 10, interfaces: ["database:read"]
1
🔢

Limited-Use Enforcement

Attack Blocked
// Attacker tries to use stolen token repeatedly
for (let i = 0; i < 1000; i++) {
  gateway.execute(stolen_token, "query");
}
Uses 1-10: Succeed (token valid)
Use 11+:UsageLimitExceeded - Token exhausted
2
🔐

Cryptographic Signature Verification

Attack Blocked
// Attacker tries to modify max_uses
stolen_token.max_uses = 99999;
gateway.execute(stolen_token, "query");
InvalidSignature
Ed25519 signature doesn't match modified payload. Tampering detected instantly.
3
⬇️

No Privilege Escalation

Attack Blocked
// Attacker tries to add write permissions
malicious_cap = stolen_token.derive({
  interfaces: ["database:write"] // escalate!
});
AttenuationViolationError
Parent only has "database:read". Cannot derive "write" permission without private key.
4
📋

Comprehensive Audit Trail

Attack Detected
🔍
All usage logged with full context:
[10:00:01] ✓ capability_id=cap-123, agent=analysis_001, action=query, uses=1/10
...
[10:00:10] ✓ capability_id=cap-123, agent=analysis_001, action=query, uses=10/10
[10:00:11] ❌ capability_id=cap-123, agent=UNKNOWN, action=query, error=UsageLimitExceeded
Security team alerted: Anomalous usage pattern detected after exhaustion.
🛡️

Result: Attack Neutralized

Even with a stolen capability, the attacker achieved minimal damage:

Limited Impact
  • Maximum 10 read operations
  • Only "transactions" table accessible
  • No write/delete permissions
  • 30-minute expiration enforced
Attacks Prevented
  • ❌ Unlimited replay attacks
  • ❌ Token tampering/forgery
  • ❌ Privilege escalation
  • ❌ Silent exfiltration
⚠️

With OAuth Bearer Tokens (No Defense)

The same attack with a stolen OAuth token would result in:

  • Unlimited reuse until token expires (hours/days)
  • Full access to all resources the token permits
  • No usage limits - attacker can make 10,000+ requests
  • Indistinguishable from legitimate use in logs

Protect Your Multi-Agent System

If your agents share credentials using any of these approaches, you're exposed to session smuggling attacks:

OAuth bearer tokens between agents
Shared secrets from Vault/AWS Secrets Manager
Proxy services returning bearer tokens
Environment variables for credentials

We're working with design partners to deploy capability-based credentials for multi-agent systems.

View Implementation Guide Become a Design Partner