Two things happened in the last eight weeks that should permanently change how you handle API keys. In May, Composio — a company whose entire job is holding credentials for AI agents — disclosed a breach of its internal systems. And yesterday, Moonshot AI released Kimi K3, and a large fraction of the agent-running world celebrated by pasting an OpenRouter key into yet another config file.

Different events, same lesson: in the agent era, the key itself is the target, and the way you store and hand out keys matters more than which tools you run. Here is the plain version of how to protect them — a ladder you can climb one rung at a time.

Why agents changed the threat model

API keys used to live in a couple of boring places: a server's environment, a CI secret store. Agents broke that pattern in four ways.

  • Keys now live in config files on your laptop. Most agent frameworks want a key in a plain-text JSON or env file in your home directory — readable, syncable, and one careless git add away from a public repo.
  • Prompt injection puts your key one tool call from an attacker. An agent reads untrusted content and acts on it. A payload hidden in a web page can tell it to send the key it holds somewhere else — and if it holds a raw key, it can comply. We covered the mechanics in how a web page can steal your agent's keys.
  • One key now fronts many providers. Aggregators like OpenRouter are genuinely useful — one key, hundreds of models. But that convenience concentrates risk: leak that one key and someone else is spending against every model behind it.
  • Agents multiply faster than your discipline does. Every new agent needs access to something, and the lazy move is to reuse the key you already have. That is how credential sprawl happens — at machine speed.

The result: your blast radius — the damage one leaked key can do — has quietly grown while the keys themselves stayed exactly as easy to steal.

The hygiene ladder

You do not have to fix everything at once. Each rung below strictly shrinks your blast radius; climb in order.

  1. Rung 1 — never commit or paste a raw key into an agent config. Keys do not belong in repos, prompts, chat logs, or shared docs. If a real key has ever touched a repo — even a private one, even briefly — treat it as burned and rotate it now.
  2. Rung 2 — one key per agent, always. A shared master key means every incident is unattributable and every revocation is a company-wide outage. Per-agent keys make cutting one agent a non-event.
  3. Rung 3 — scope ruthlessly. Take every restriction the provider offers: read-only where possible, spend caps, model allowlists, IP restrictions. A stolen key scoped to "read one calendar" is a log entry, not an incident.
  4. Rung 4 — build a rotation habit. Put it on a calendar. Rotation is a fire drill: the first time you rotate a key, you discover every place it secretly lives. Better to learn that on a quiet Tuesday than during a breach deadline.
  5. Rung 5 — broker locally. Keep the real keys in one encrypted vault on hardware you control, and give each agent a scoped stand-in that routes through a broker. If the words are new, start with what a credential broker for AI agents is and why local-first beats cloud storage for this job.
  6. Rung 6 — keep an audit trail. Injection attacks and key theft are quiet. A per-agent log of who called what, when, is how you find out anything happened at all — and it only works if rung 2 gave each agent its own identity.

Rungs one through four are habits. Rungs five and six are architecture. The habits help; the architecture is what makes a successful attack not matter.

Even the custodians get breached

If you think "I'll just use a service that manages credentials for me" closes the question, May 2026 is worth studying. Composio disclosed on May 21 that an attacker had gained unauthorized access to internal systems — first a foothold in an internal agentic monitoring tool, then elevated access to its automated remediation systems, then malicious tool definitions chained into arbitrary code execution inside its tool-execution sandbox. Composio described the attacker's sophistication as "consistent with a highly skilled actor, likely augmented by advanced AI systems."

The leaked connections were about 0.3% of the total — but that included 5,001 GitHub connections, and an auxiliary cache holding 5,241 API keys that the attacker likely had access to. Composio revoked affected credentials, deleted all customer API keys created before its May 22 cutoff, and set a hard rotation deadline. Credit where due: it published indicators of compromise, notified more than 50 third-party providers, and updated its bulletin for a week straight. That is transparent incident handling, and the full timeline is worth reading — we broke it down in our coverage of the Composio breach.

But two details are the actual lesson for you. First, under 5% of affected connections could not be revoked from Composio's side at all — and most API-key-scheme credentials could only be rotated by the end user, directly with the provider. When the custodian is breached, the cleanup lands on you, on a deadline. Second, every customer who had never practiced rotation discovered, that week, exactly how many places their keys lived. The math tilts hard toward rungs four and five: know where every key is, keep the real ones somewhere a vendor's breach can't reach, and make rotation something you have already done before you're forced to.

The Kimi K3 test

New-model week is when key hygiene fails, because excitement beats discipline every time. Kimi K3 landed on OpenRouter this week, everyone wants to point an agent at it, and the path of least resistance is the same as always: paste your OpenRouter key into the agent's config and go. That is rung zero — a raw key that fronts every model and provider behind your account, sitting in plain text where an injected instruction can reach it.

You can try the new model and keep the ladder intact. We wrote up the exact setup in how to use Kimi K3 without exposing your OpenRouter key — the short version is: the key goes in the vault, the agent gets a scoped stand-in, and revoking the experiment afterward takes one click instead of a key rotation.

If you want rungs two through six as one tool instead of five separate habits, that is exactly what a local credential broker is for. Agent Master Key keeps your real keys in an encrypted vault on your own Mac (AES-256-GCM), issues each agent its own scoped, revocable amk_live_ key through a local broker, records every call in a local redacted audit trail, and gives you a kill switch that cuts every agent at once. GitHub and Telegram connectors are live-proven today; everything else — OpenRouter included — runs as a bring-your-own-key template. It is free for a limited time. (Disclosure: Agent Master Key is built by AM Accelerated LLC, the company that publishes The AMA Hub.)

Bottom line

Agents changed the economics of key theft: more copies, more holders, and attackers that read the same instructions your agent does. You will not out-guess every attack, and even the professionals get breached — so stop betting on prevention and architect for containment. One key per agent, scoped hard, rotated on a schedule, brokered from a local vault, logged locally. Do that, and the next breach headline — or the next shiny model — is something you read about, not something you clean up after.

Want someone to pressure-test your agent setup against exactly this? That's what the $99 AI Agent Security & Setup Audit is for.