Vercel's April 2026 breach exposed a structural problem: credentials stored in platform env vars have platform-level blast radius. For AI agents, that blast radius is dramatically larger.
What Happened
Vercel experienced unauthorized access to internal systems on April 19, 2026. Their guidance to customers: review environment variables, rotate secrets, use Vercel's sensitive environment variable feature.
That guidance lands differently when you're building AI agents.
Why Agents Amplify the Problem
A typical web app holds a small, fixed set of credentials. An AI agent holds credentials to multiple services simultaneously:
- LLM providers (OpenAI, Anthropic)
- Code execution environments
- GitHub, databases, calendar services
- Multiple downstream APIs
That's not a credential. That's a keyring.
When credentials are stored in platform env vars, every agent inherits them. No scoping. A single compromised dependency exposes the entire keyring.
Long-lived tokens make this worse. The window between breach and discovery and rotation is the window of exposure — with no architectural upper bound.
What the Fix Looks Like
Three properties matter:
- Short-lived. Tokens expiring in minutes or hours limit the damage window regardless of discovery timing.
- Per-session scoped. Each session has identity scoped exactly to what it needs, issued at start, unusable outside that session.
- Behaviorally monitored. Short TTLs limit time windows; behavioral signals catch anomalies within them.
This aligns with 12-Factor Agents Factor 12 (Stateless Reducer): agents as pure functions of their context, with no persistent credential state that outlives the invocation.
How AgentLair Approaches This
AgentLair's AAT (Agent Authentication Token) architecture issues fresh EdDSA-signed JWTs per session with a 1-hour TTL:
{
"sub": "did:web:agentlair.dev:agents:acct_abc123",
"iat": 1745078400,
"exp": 1745082000,
"scope": ["email:read", "files:write"],
"session": "sess_xyz789"
}
The did:web claim gives each agent a persistent, externally resolvable identity. The JWKS endpoint at /.well-known/jwks.json allows any downstream service to verify tokens locally — no API call required.
A trust scoring engine running continuously during sessions scores behavioral consistency across three dimensions: temporal consistency, scope adherence, and behavioral stability. A valid token plus anomalous behavior raises a flag that can gate high-value operations.
The Comparison
| Platform env vars | AgentLair AAT | |
|---|---|---|
| Token lifetime | Indefinite | 1 hour |
| Scope | All agents on platform | Per-session, declared explicitly |
| Platform breach impact | Credentials exposed indefinitely | Current session's token, 1h max |
| Behavioral monitoring | None | Trust score on every session |
Platform-stored, long-lived credentials have platform-level blast radius. Short-lived, per-session, JWKS-verifiable tokens shrink that blast radius to the session window.
Top comments (0)