SUDP: A Protocol to Keep Agent Secrets Secret
Researchers propose SUDP, a three-role protocol that lets AI agents perform secret-backed operations (API calls, cloud actions) without ever exposing reusable credentials to the agent itself. The protocol separates the requester (agent), authorizer (user), and custodian (secret holder) into distinct roles, ensuring that even if an agent is compromised via prompt injection or tool-side attack, the underlying secret remains protected. The work formalizes the Agent Secret Use problem and provides a security taxonomy for evaluating existing agentic-secret defenses.
TL;DR
- SUDP introduces a three-role delegation model: agents propose operations, users authorize with fresh grants, custodians redeem grants once without exposing reusable secrets to agents
- Addresses a critical gap in agentic security where bearer tokens and API keys are typically placed within model-steerable boundaries, making transient compromises durable account breaches
- Formalizes the Agent Secret Use (ASU) problem and derives a security-property taxonomy to enable principled comparison of existing agentic-secret defenses
- Provides operation-bound, single-use authorization with storage confidentiality and key isolation under stated sealing and erasure assumptions
Why It Matters
As AI agents gain autonomy and access to production APIs, messaging platforms, and cloud services, the security model for credential delegation becomes critical. Today's approach of embedding reusable secrets within agent boundaries creates a fundamental vulnerability: a single prompt injection or tool compromise can escalate to durable account takeover. SUDP addresses this structural problem by ensuring secrets never cross the agent boundary, raising the bar for what attackers can achieve even with agent access.
Business Impact
For operators deploying agents in production, credential compromise is a high-impact risk that can lead to data exfiltration, unauthorized API usage, and compliance violations. SUDP provides a concrete protocol that reduces blast radius and enables safer delegation of sensitive operations without requiring agents to hold reusable authority. This is particularly relevant for enterprises integrating agents with legacy systems, cloud infrastructure, and third-party APIs where credential management is already a pain point.
Key Implications
- Existing agentic deployments that embed API keys or bearer tokens in prompts or tool contexts are vulnerable to prompt injection and tool-side attacks that can become durable; SUDP-like protocols may become table stakes for production systems
- The three-role model (requester, authorizer, custodian) suggests a shift in how agent infrastructure is architected, potentially requiring separate credential-management services and explicit user-authorization flows for sensitive operations
- The formalization of ASU and its security taxonomy provides a framework for evaluating and comparing credential-delegation approaches, which could influence how platforms like OpenAI, Anthropic, and others design agent security features
What to Watch
Monitor whether major AI platforms and cloud providers adopt SUDP or similar protocols in their agent frameworks and API credential management. Watch for real-world agent compromises that exploit credential exposure to understand whether the industry recognizes this as a priority. Also track whether this work influences standards bodies or security frameworks for agentic AI systems.
Subscribe to the newsletter
The latest stories and analysis, delivered to your inbox.
Free. No spam. Unsubscribe any time.
