Secrets Broker
wl-secrets-broker is under active development and will be available in an upcoming release.
wl-secrets-broker is a policy-enforced secrets management service that issues scoped, time-limited Secret Capability Tokens (SCTs). Agents never see raw API keys — credentials are injected at the proxy layer.
How It Works
- wl-proxy receives an agent's API request
- wl-proxy requests credentials from wl-secrets-broker
- wl-secrets-broker checks authorization via wl-apdp
- If authorized, wl-secrets-broker issues an SCT and retrieves the credential from OpenBao
- wl-proxy injects the credential into the upstream request
- Full audit trail is logged
Secret Capability Tokens (SCTs)
SCTs are the core primitive for credential access:
| Property | Description |
|---|---|
| Ed25519 signed | Cryptographically verifiable |
| Time-limited | Expire after a configurable TTL |
| Single-use (JTI) | Consumed on first use, cannot be replayed |
| Scope-limited | Bound to a specific agent, action, and resource |
Secrets Storage
Credentials (OpenAI API keys, Anthropic API keys, etc.) are stored in a Vault-compatible secret provider. In the evaluation profile, this is OpenBao (HashiCorp Vault-compatible) running in in-memory mode — secrets are never written to disk. Production deployments can use AWS Secrets Manager, Azure Key Vault, or environment variables instead.
OpenBao is optional and included only in the eval profile for convenience. Production deployments should use your organization's existing secret management infrastructure.
Authorization Integration
Every credential request is authorized by wl-apdp before issuance. Cedar policies control which agents can access which credentials:
permit(
principal == Agent::"research-agent",
action == Action::"access_secret",
resource == Secret::"openai-api-key"
) when {
context.intent_category == "DataAnalysis" &&
context.goal_status == "Active"
};
Webhook Authentication
wl-secrets-broker supports HMAC-SHA256 authenticated webhook callbacks for audit integration with external systems.