Agent Credential Management

lesson workflow active workflow/agent-credential-management.md View on GitHub

Agent Credential Management

Rule

When needing to store or retrieve credentials, use a GPG-encrypted credential system in the agent's secrets/ directory.

Context

When autonomous agents need to:

Detection

Observable signals indicating credential management is needed:

Pattern

Use GPG-encrypted credential storage:

# Directory structure (in agent workspace)
secrets/
├── agent-public.gpg          # Agent's public key
├── credentials/              # Encrypted credentials   ├── github.gpg
│   ├── email.gpg
│   └── ...
└── README.md                 # Usage documentation

# Check if credential exists
ls secrets/credentials/<service>.gpg 2>/dev/null

# Read credential (requires GPG decryption)
gpg --decrypt secrets/credentials/<service>.gpg 2>/dev/null

# Store new credential (encrypt with agent's key)
echo '{"service": "github", "username": "...", "token": "..."}' | \
  gpg --encrypt --recipient-file secrets/agent-public.gpg > secrets/credentials/github.gpg

Credential format (JSON):

{
  "service": "github",
  "username": "agent-username",
  "password": "...",
  "token": "...",
  "notes": "Created 2026-01-27 for autonomous operations"
}

Setup Requirements

  1. Agent needs a GPG keypair (public key in secrets/)
  2. secrets/credentials/ directory must exist
  3. Human assistance required for initial credential provisioning

Escalation Path

If credential management is not set up:

  1. Check for existing secrets/ directory and GPG key
  2. Document the credential need in workspace issue tracker
  3. Escalate to human operator for credential provisioning
  4. Once provisioned, credential can be used autonomously

Outcome

Following this pattern results in:

Related

Match Keywords

manage API keys OAuth blocked at password API key for agent workspace store credentials in .env secret rotation for agent