SECRETS MANAGEMENT. LAST MILE DELIVERY, NEVER IN THE PROMPT.

In logistics, the last mile is the leg where a package actually reaches the customer, the failure-prone final delivery. For an AI agent, the last mile is the tool call. The credential has to reach the downstream API without ever entering a prompt, a completion, a tool argument, or an audit row. That is what this section handles for a Claude agent.

When a Claude agent calls a tool, the system launches the tool as a separate subprocess and hands the provider credentials (ANTHROPIC_API_KEY, OPENAI_API_KEY, GEMINI_API_KEY, GITHUB_TOKEN) to it as environment variables. The credential lives inside that subprocess, outside the model's view. The agent names the tool, the tool returns a result, the key never appears in between.

Custom credentials travel the same path. User-supplied secrets are handed to the subprocess as environment variables. An explicit allowlist named SYSTEMPROMPT_CUSTOM_SECRETS tells the subprocess which variables it is authorised to read. The tool execution log records tool name, server name, input arguments, status, and an execution id, and the credential is deliberately absent from every column.

A stolen session cookie should not become a long-lived API key. Every systemprompt.io session is a JWT the server verifies locally in under a microsecond, without a lookup to an identity provider. The token is the session, not a pointer to a session stored somewhere else.

Every token is HS256-signed with a profile-scoped secret the deployment owns. Startup refuses to boot with a signing secret shorter than the configured minimum, so a misconfigured profile fails loud instead of silently issuing weak tokens. The claims payload carries the user's scope, roles, session_id, rate-limit tier, audience, issuer, and expiry, plus a unique jti per session. Handlers read typed fields directly. Nothing re-parses the raw token, and nothing queries a user table on every request.

Verification has three explicit modes. Required is the production default: extract the bearer, decode the HS256 claims, validate issuer and audience, check expiry against wall-clock, return 401 on any failure. Optional falls back to an anonymous request context so public endpoints stay reachable. Disabled is reserved for tests. A network partition between the API and an external auth service cannot cause spurious logouts, because the server is the auth service.

Credential theft almost always starts with a probe. Mass scanners sweep the internet looking for exposed .env files, leftover .git directories, phpMyAdmin installs, and known webshell paths. Finding one is the attacker's first move. The scanner detector rejects those requests inline, before any application handler receives them, turning the outer edge of your deployment into a triage layer.

The detector inspects three signals in order. A requested path is matched against tables of scanner extensions and known-bad paths, covering .env, .git, phpMyAdmin, and the webshell endpoints mass scanners walk for. The user-agent is matched against a list of named scanner tools (masscan, nmap, nikto, sqlmap, and more) plus length thresholds that block empty or obviously forged agents. Request rate is normalised to requests-per-minute and compared against a burst ceiling sized to catch runaway scripts without throttling normal traffic.

All three checks run inline on the request path, not as post-hoc log analysis. A positive signal on any check rejects the request before routing. The detector emits a structured denial event with the path, user-agent, velocity, and which check fired, so a SIEM can tune thresholds from real traffic rather than guesswork.

A browser sends a session in a cookie. A CLI sends a bearer token in the Authorization header. A trusted MCP proxy in front of the server sends a verified identity in a custom header. A single hardcoded extraction strategy forces every caller to re-architect for the strategy. A transport-agnostic bearer chain lets every caller use its native idiom without the server caring which transport carried the token.

The token extractor holds an ordered list of extraction methods and walks them on every request. The first method that returns a token wins. If every method fails, the request is rejected with a specific error naming the methods tried. Preset chains cover the common cases. Standard walks the Authorization header, then MCP proxy, then cookie. Browser-only drops MCP proxy. Api-only keeps the Authorization header alone, for strict machine-to-machine traffic.

The MCP middleware adds one more layer on top of the extractor. Proxy-verified identity is tried first. A corporate load balancer doing SSO termination can sign a verified identity into a custom header, and the middleware accepts it without needing to speak JWT at the proxy. If proxy auth is absent, the middleware falls back to direct bearer validation, running audience, scope, and permission checks in turn. The result is either a fully authenticated request context or an anonymous one, with no ambiguous middle state.

When a single credential is compromised, the question is what the attacker can reach with it. In a flat credential model, the answer is everything. When every credential's scope is bound to a typed identity, the answer is bounded at the tier the identity holds. Every session's reach is defined by the identity that issued it, and no identity can resolve to more than its tier allows.

The permission model tiers are Admin, User, Anonymous, A2a, Mcp, and Service. Every session's JWT carries the tier at issuance. The tier determines which MCP servers the caller can discover, which tools load into the session, and which rate limit applies. Loading tools for a caller runs a permission check against each server before any tool appears in the manifest. Servers the caller cannot access are silently dropped, so a compromised Anonymous token cannot even enumerate admin-only tools, let alone invoke them.

Rate-limit tier follows the same identity. Admin sessions get a higher multiplier on base rates because they operate at scale with consent. Anonymous sessions get a fractional multiplier because a compromised anonymous token should not exhaust capacity. Secret scope, permission tier, and rate tier all key off the same authenticated identity, and the audit trail binds each tool execution to the request context that authorised it. The question "what did this identity touch" resolves to a single indexed query, not a cross-system hunt.