Protect API Keys with Agent Gateway

Today we’re launching Agent Gateway: a new security layer for running AI agents in production. It prevents agents from ever seeing sensitive credentials and can be used with network policies to strictly control which external endpoints the agent can safely reach. If you’re deploying agents against real usecases, this changes the threat model.

It's not a secret injection system. Agent Gateway is an L7 proxy that sits between your agent and the outside world, substituting authentication at the infrastructure layer and enforcing outbound policy automatically. Agents can no longer steal API keys because those keys never exist inside the environment. The agent only sees a temporary gateway token and, with network policies enabled, can only talk to destinations you explicitly allow. Key exfiltration, prompt injection, and man-in-the-middle attacks are addressed by Runloop at an infrastructure level.

Trustless Agents

Perhaps the biggest blocker to production agent deployment isn't model capability or even consistency: it’s trust. Agents are inherently dangerous and security is a challenge every developer must confront. Simply telling an LLM not to make mistakes disregards everything the industry has learned about secure computing over the past 50 years. Instead of attempting to coax and prompt agents into behaving safely and securely, a conventional approach is to restrict the information provided to the agent and the actions it can perform.

A defensive security posture is to always assume that the agent is compromised. This is the essence of zero-trust applied to agents. This means:

• Never granting the agent direct access to sensitive data.
• Restricting the endpoints the agent can talk to.
• Forcing authentication with every call

Agent Gateway works with Network Policies to enforce these boundaries.

Get Started

The single most common endpoint that agents talk to is the LLM provider. In this example we’ll explore how to set up a devbox without exposing an ANTHROPIC_API_KEY to the agent. The same approach shown here will work with any authenticated endpoint:

1. Create & configure the gateway:

// Create a gateway config for Anthropic
const anthropicGateway = await runloop.gatewayConfig.create({
    name: "anthropic-gateway",
    endpoint: "https://api.anthropic.com",
    auth_mechanism: { type: "bearer" },
    description: "Gateway for Anthropic Claude API"
});

// Choose a name for the secret you'll create next — this name is used
// to link the secret to a gateway.
const secretName = "ANTHROPIC";

2. Create the secret using the Runloop secure secret manager:

// Store the Anthropic API key as a secret
await runloop.api.secrets.create({
    name: secretName,
    value: "sk-ant-api03-..."  // Your actual Anthropic API key
});

‍3. (Optional): Attach a network policy

// Create a network policy that only allows Anthropic API access
const policy = await runloop.networkPolicy.create({
  name: "anthropic-only",
  allowed_hostnames: ["*.anthropic.com", "anthropic.com"],
  allow_all: false,
});

console.log(`Created policy: ${policy.id}`);

4. Start the devbox using the gateway and with the network policy‍

const devbox = await runloop.devbox.create({
  name: "agent-with-gateway",
  gateways: {
    // the key here is what the devbox will map to the value for secretName
    // $ANTHROPIC_API_KEY will be the env name on this devbox
    ANTHROPIC_API_KEY: {
      gateway: anthropicGateway.id, // Gateway config ID (or name)
      secret: secretName, // Must match the secret name from Step 2
    },
  },
  // use the network policy from step 2 (skip this if you didn't create a policy)
  launch_parameters: {
    network_policy_id: policy.id,
  },
});

5. Use the Agent Gateway with your Agent

// Verify environment variables are set
const urlResult = await devbox.cmd.exec("echo $ANTHROPIC_API_KEY_URL");
console.log(await urlResult.stdout());  // https://gateway.runloop.ai/...

const tokenResult = await devbox.cmd.exec("echo $ANTHROPIC_API_KEY");
console.log(await tokenResult.stdout());  // Note: this is the gateway token, NOT your real API key

// Make an API call through the gateway
const result = await devbox.cmd.exec(`
curl -X POST "$ANTHROPIC_URL/v1/messages" \
  -H "Authorization: Bearer $ANTHROPIC_API_KEY" \
  -H "Content-Type: application/json" \
  -H "anthropic-version: 2023-06-01" \
  -d '{
    "model": "claude-sonnet-4-20250514",
    "max_tokens": 100,
    "messages": [{"role": "user", "content": "Tell me a bit about the AI company Runloop"}]
  }'
`);
console.log(await result.stdout());  // Response from Anthropic

‍

Combining Agent Gateway with Network Policies

Agent Gateway controls authentication. Network Policies control reachability. When used together, they define a strict execution boundary for your agent.

With Network Policies you can:

• Deny all outbound traffic by default.
• Allowlist specific hostnames (with wildcard support).
• Block specific, high risk endpoints.

When combined with Agent Gateway, you get an environment where:

• The agent can only talk to approved endpoints.
• Authentication doesn’t risk credential theft.
• No secrets exist inside the runtime environment.

This is zero-trust applied to agent infrastructure.

Summary & Next Steps

Agents are becoming increasingly powerful, but without adequate safeguards they’re liability factories. If your security model depends on the agent behaving correctly, you don’t have a security model. Agent Gateway changes the parameters of what it means to run an agent in production:

• Your agent never sees critical credentials
• Destructive endpoints are completely protected
• Policies are enforced at infrastructure level

Take a look our documentation to find out more.

• Agent Gateway Documentation
• TypeScript SDK
• Python SDK

We believe that this release will be truly transformative for organizations wanting to run agents in production environments and we can’t wait to see what you’ll build.

Have questions or feedback?

We'd love to hear from you: support@runloop.ai

‍