How to Store API Keys for AI Agents Safely

Where to actually keep API keys when AI agents need them — what not to do, the safer patterns, and how to give agents access without handing over the raw secret.

The fastest way to run an AI agent is to paste your API key into its config file and move on. It is also the fastest way to leak it. If you are running agents — local or cloud — here is how to store the keys so a mistake stays small.

What not to do (the common leaks)

Plain .env files in your project. They get committed to Git, copied into Docker images, and printed in logs. The single most common way keys end up public is an .env pushed to a repo.
Hardcoding keys in the agent's prompt or code. Now the secret lives in chat history, version control, and every backup.
One master key shared across every agent. If any agent leaks it, all of them are compromised, and you have to rotate everything at once.
Storing keys in a cloud notes app or pasting them into a chat to "set it up later." Chat transcripts are permanent. Treat anything pasted into a chat as already public.

The safer patterns, from good to best

Good — OS keychain / secret store. Keep keys in the macOS Keychain (or a secrets manager), and have the agent read them at runtime instead of from a file. The secret is encrypted at rest and never sits in your repo.

Better — environment injection at run time. Inject secrets as environment variables only when the agent process starts (from a vault or keychain), so they live in memory, not on disk. Never bake them into the image.

Best — the agent never holds the raw key at all. Put a broker between your agents and your real credentials. Your keys stay in one secure place; each agent gets a scoped, revocable credential that routes through the broker. The agent can do the job you authorized and nothing else — and it never sees the real secret to leak in the first place.

Why "the agent never holds the raw key" wins

Every other pattern still ends with the live secret inside an unpredictable program. The broker pattern removes that entirely. If an agent is compromised, the attacker gets a scoped key you can kill in seconds — not your real OpenAI, GitHub, or cloud credentials.

Agent Master Key is built for exactly this: connect your accounts once on your own Mac, and each AI agent gets a scoped Master Key instead of your raw credential. Keys stay local, nothing touches the cloud, and you can revoke any agent in one click. It is the difference between "an agent leaked a key" and "an agent leaked a key that does nothing now."

A quick checklist

No secrets in source code, prompts, or committed files.
Keys encrypted at rest (keychain/vault), read at runtime.
One scoped credential per agent — never a shared god key.
A way to revoke a single agent without rotating everything.
Never paste a live key into a chat or log.

If you can tick all five, an AI agent on your machine is a tool, not a liability. For the bigger picture on the risk, read is it safe to give AI agents your API keys, and if you are choosing hardware to run agents on, see the best mini PC for local LLMs.