What is credential vaulting for AI agents?
Credential vaulting stores usernames, passwords, and 2FA secrets in an encrypted store and injects them into the browser at runtime — without ever exposing the raw values to the LLM driving the agent. It's the only safe way to let an autonomous agent log into accounts that aren't its own.
What is credential vaulting for AI agents?
Credential vaulting matters because most useful agentic work lives behind a login. Without a vault, the only way to authenticate is to put the secret directly into a prompt or tool-call payload — and from there it ends up in model traces, provider logs, and anything else that touches the LLM stack. Vaulting separates the credential from the model entirely: the secret stays in encrypted storage, the LLM only ever sees a placeholder, and the substitution happens at the browser layer where the credential is actually used.
The problem credential vaulting solves
"Agent plus auth" without a vault has three options, all bad:
- Paste the password into the prompt. Now it lives in the LLM provider's logs and possibly its training corpus. Non-starter for any user-owned credential.
- Hand-code a Playwright login flow per site. Brittle every time the site redesigns, and the credential still flows through the running script — usually leaking into stdout, error reports, or telemetry.
- Hard-code session cookies after a manual login. Works for a few days then expires. Doesn't scale to multi-user products where each user has their own session.
Every pattern shatters the moment the agent acts on behalf of someone other than the developer. You cannot put a customer's password in your prompt. You cannot ask a customer to re-paste cookies every Tuesday.
How Notte's vault works
Notte's vault is built on Infisical's open-source secret-management infrastructure: end-to-end encrypted, encrypted at rest and in transit, with a zero-trust architecture in which credential operations are performed locally to the tenant.
The agent emits FillAction primitives to type into login fields. When a FillAction targets a sensitive field, the vault transparently swaps the LLM's placeholder for the real credential — after the LLM has emitted the action, before the action reaches the browser. The real password is touched in exactly one place — the browser action that types it — and never anywhere else.
from notte_sdk import NotteClient
client = NotteClient()
vault = client.Vault(vault_id="my_vault_id")
vault.add_credentials(
url="https://github.com/",
email="agent@example.com",
password="...",
)
with client.Session() as session:
agent = client.Agent(vault=vault, session=session, max_steps=10)
response = agent.run(task="Log into GitHub and list my private repos.")Key capabilities
| Without a vault | With a vault | |
|---|---|---|
| Where the password lives | In prompts, code, or env vars | In encrypted store, never in LLM context |
| LLM provider sees the secret | Yes, in prompts and tool calls | No |
| 2FA / TOTP support | DIY, usually broken | First-class |
| Multi-user / multi-tenant | Hard — secrets leak across runs | Per-vault isolation |
| Session expiry recovery | Re-paste manually | Automatic re-login |
| Compliance posture | Credentials in logs and traces | Credentials never logged |
Common use cases
- Consumer AI assistants that book, pay, or apply on a user's behalf. The user enrolls their accounts once; the agent does the work without ever holding the password.
- Authenticated web scraping of dashboards, supplier portals, or regulator sites that have no public API.
- Account-creation flows that combine digital identities with vaulted credentials so new accounts don't require human babysitting.
- 2FA-aware logins that pull TOTP codes from the vault on the fly — see how AI agents handle 2FA.
You can skip the vault layer for short-lived public-page automations or single-developer scripts using a throwaway account whose credentials you're genuinely comfortable handing to the LLM stack. Be honest about that last one — most teams say they're comfortable with it because they haven't audited what their LLM provider does with prompts.
Key takeaways
- Credential vaulting stores agent-accessible credentials in an encrypted store and injects them into the browser at runtime, bypassing the LLM entirely.
- Notte's vault is built on Infisical: end-to-end encrypted, zero-trust, with first-class 2FA support.
- Substitution happens at the action layer (
FillAction), not the prompt layer — model logs and traces never contain the real password. - Pair with agent identity for the broader frame and digital identity for the persistent online presence.