SUDP: A Protocol for Secret-Use Delegation in Agentic Systems
Hejia GengSUDP (Secret-Use Delegation Protocol) is a protocol for agentic systems that lets AI agents perform secret-backed operations without ever holding the underlying secret itself: instead of putting reusable credentials like API keys or OAuth tokens inside the agent runtime, it keeps secret ownership with the user and delegates only narrowly scoped, single-use, transaction-bound authorization for a specific action, recipient, and validity window. In practice, it works through three phases—setup, authorization grant, and consumption—so an agent can request an operation, the user can approve that exact operation with an authenticator-backed gesture, and the system can execute it without exposing the raw credential to the agent, making credential use more auditable and more resistant to leakage, replay, and misuse.
SUDP
A protocol for letting AI agents use secrets without ever holding them
SUDP (Secret-Use Delegation Protocol) is a protocol for agentic systems in which AI agents can initiate secret-backed operations without ever taking possession of the underlying secret itself.
As LLM agents increasingly act on behalf of users across APIs, messaging platforms, and cloud services, they must often rely on credentials such as API keys, OAuth tokens, or signing keys. This creates a core security tension: agents are useful because they can perform privileged actions, but dangerous because anything exposed inside the agent boundary can leak through prompt injection, logging, tool output, or runtime compromise.
SUDP addresses this by separating secret ownership from secret-use capability. The secret remains under user-controlled protection, while each use is conditionally delegated through a single-use, transaction-bound authorization that specifies what action is allowed, who may redeem it, and under what conditions.
How it works
SUDP defines a three-phase model:
- Setup — protected secret state is sealed in a vault-like runtime.
- Authorization grant — the user approves a specific operation through an authenticator-backed gesture.
- Consumption — the authorized operation is executed without exposing the raw secret to the agent.
The resulting grant is bound cryptographically to a specific operation and is redeemable only once. This turns “may the agent use this secret?” into a precise, auditable cryptographic commitment rather than an open-ended permission.
Why it matters
Today, many agent systems still rely on the unsafe pattern of placing reusable credentials inside the agent runtime. Once that boundary is compromised, a transient model failure can become a durable account compromise.
SUDP offers a different model: even if the agent is subverted, it cannot exfiltrate a reusable credential or silently expand its authority. At most, it can attempt to request a narrowly scoped, user-authorized action.
Contributions
This work makes five main contributions:
- A security-property taxonomy for agent credential mediation
- A formal problem formulation for delegated secret use in agentic systems
- The SUDP protocol itself, centered on single-use, operation-bound authorization
- A standards-based implementation profile using widely deployed primitives
- A security analysis showing strong guarantees across credential confidentiality and authorization integrity
Built from standard components
SUDP is designed to be practical and composable. It can be instantiated entirely from standardized building blocks such as:
- WebAuthn PRF
- HKDF
- AES key wrap or AEAD
- HPKE
- TLS 1.3
This means the protocol introduces no new cryptographic assumptions while remaining compatible with modern agent runtimes and secure infrastructure.
Core idea
SUDP is not just a vault, a token proxy, or a prompt-level defense.
It is a protocol for capability-constrained secret use: a way to let agents act with secrets, without ever letting them become secret holders.