The Credential Broker

Loose keys should move out of server code and logs into a brokered path.

Why it mattersAgents and MCP servers should not become new places where secrets spread.

A binding card names actor, policy, environment, and reference without showing the secret.

Why it mattersReviewers need explainable access without exposing sensitive values.

Service-account access can be injected upstream while the agent never sees the credential.

Why it mattersMany first pilots need service access with centralized control.

Delegated access keeps the action tied to user authority and OAuth scope.

Why it mattersSome tools should act with user authority, not only service identity.

Agent-scoped credentials can be limited to owned tools and revoked cleanly.

Why it mattersThe credential should match the agent, owner team, and tool risk.

Workload identity maps to a subject and selects the right binding.

Why it mattersCloud and cluster identities need first-class treatment in enterprise deployments.

The gateway should work from secret references, not plaintext storage.

Why it mattersExisting vaults and cloud secret stores remain the source of truth.

Dev, staging, and production use separate bindings.

Why it mattersPreventing cross-environment use is a basic production control.

Rotation changes the secret reference while the server stays untouched.

Why it mattersCredential hygiene improves when rotation does not require app rewrites.

Revocation blocks new calls, terminates affected sessions where needed, and emits audit evidence.

Why it mattersA broker is only credible if access can be stopped cleanly.

Audit keeps credential mode, binding reference, request ID, and policy version without secret values.

Why it mattersSecurity needs traceability without creating a new sensitive log.

Tool calls get the resolved mode, private backend route, and audit receipt while domain owners keep logic.

Why it mattersCredential governance should reduce platform burden, not steal domain ownership.