Stop giving AI agents the keys to everything: Introducing the Agent Access SDK

Acting independently on behalf of humans in multi-step workflows, AI agents like OpenClaw can increase productivity and streamline all kinds of online tasks. This newly unleashed productivity also brings new security challenges like credential abuse or data leaks.

The Agent Access SDK is a new open protocol and standalone development toolkit that enables agents to securely communicate with password managers and other software solutions. Developed by Bitwarden, the SDK supports credential access with designated human oversight and robust end-to-end encryption, helping ensure passwords are never exposed or used without explicit authorization. 

This release does not incorporate any AI functionality into the Bitwarden solution and does not grant AI systems persistent or unrestricted access to vault data. The Agent Access SDK is a separate development toolkit to help enforce secure credential access for those who leverage AI agents in their workflows.

Available now in an early alpha phase for everyone to test, the Agent Access SDK fundamentally redefines how agents can interact with password vaults, work-related systems, and digital life.

Unlike traditional machines, AI agents follow a non-deterministic path, often making decisions, accessing resources, and initiating actions without human input. While beneficial for hand-off execution, this delegation creates unique agentic AI security risks.

• Overscoped access: An AI agent may be granted excessive access permissions, interacting with systems, information, and data not required for their tasks. As such, the agent may leverage these permissions to perform unapproved actions. 

• Data leakage: Sensitive information, like plaintext credentials, can be shared with an AI provider who does not have the capabilities to effectively secure this information, leading to a potential data breach.

The Agent Access SDK reduces security risks by providing a secure end-to-end encrypted pathway for agents to request and receive access to credentials, delivering benefits including:

• Just-in-time (JIT) access: Approve access to specific credentials only when required to execute a specific task, instead of granting access to an entire password vault. 

• End-to-end encryption: Encrypt all agent communications end-to-end and inject them into the process, helping prevent plaintext password exposure.  

• Human-in-the-loop (HITL): Approval workflows ensure oversight into every credential used by an agent.

Employees are using AI agents, even when it may not be approved by company policy. The Agent Access SDK is the pathway to help employees benefit from AI agent productivity while protecting sensitive business credentials from data leaks. The SDK can also help employees keep track of which credentials the agent is using, so they can rotate as needed. This sets a foundation for more robust agent access auditing in the future. 

Inspired by open source collaboration and transparency, the Agent Access SDK is offered under an Apache 2.0 open source license, enabling everyone to review, audit, and contribute to the project. The Bitwarden community, security enthusiasts, industry experts, and software providers are invited to participate and try the SDK for themselves. 

Please note: the Agent Access SDK is in a very early alpha phase for testing and exploration. It is recommended that users leverage sample data when testing and avoid production information and environments at this stage.

Testers are encouraged to share feedback via GitHub issues. 

1. Initial setup: User follows the directions in GitHub to download the CLI and approves pairing of the AI agent with Bitwarden client.

2. Credential request: AI agent needs to log into an application or platform, and sends an encrypted request for a specific credential via the secure tunnel, which is forwarded to the CLI and decrypted.

3. User approval: User approves the credential via the CLI, which grants access to the agent. 

4. Secure transmission: The credential is encrypted. The ‘run’ subcommand fetches the encrypted credential and injects it as environment variables into a child process.

5. Credential usage: Agent uses the credential to accomplish the task. The next time the agent needs a credential, the process repeats.

Currently, the CLI is the primary method for interacting with the Agent Access functions. A Bitwarden browser extension will also be available in the future for more seamless initial connection setup, credential approval, and audit logging. 

The Agent Access SDK integrates natively with OneCLI, an open source gateway for secure Agent API calls. With the OneCLI integration, OneCLI will intercept any API calls the AI agent invokes and will fetch the API key from within the Bitwarden vault or other password management solution. This process helps ensure API keys are never exposed to the AI agent or the LLM. 

A native integration with Browserbase is also in development to further integrate secure credential access into AI workflows.

Ready to try secure access for your AI agents? Test this innovative new industry standard with Bitwarden and create a free account or start a 7-day business trial. Follow the directions in the Agent Access SDK GitHub repo to begin.