Security primitives that work without rewriting your agent
Runloop secures agent infrastructure at five layers: credential protection through the Credential Gateway, tool-level access control through MCP Hub, hardware-isolated compute through MicroVM Devboxes, DNS-level network enforcement, and authenticated ingress through Tunnels. Each layer is an independent primitive that works without the others, but together they form a defense-in-depth architecture that no competitor offers.
```python
import runloop
# Credential Gateway: agents use opaque tokens, never real keys
devbox = runloop.devboxes.create(
blueprint_id="bp_agent_runtime",
credentials=[
{"name": "RL_ANTHROPIC", "secret": "anthropic-api-key"},
{"name": "RL_GITHUB", "secret": "github-pat-readonly"}
]
)
# Inside the Devbox:
# os.environ["RL_ANTHROPIC"] = "opq_xyz..." (opaque, devbox-bound)
# Real key never touches the Devbox. Token dies on termination.
# MCP Hub: per-tool access control with pattern matching
mcp_config = runloop.mcp_configs.create(
name="github-readonly",
allowed_tools=["github.search_*", "github.get_*", "github.list_*"]
# github.delete_*, github.merge_* are invisible to the agent
)
``````typescript
import Runloop from 'runloop';
// Credential Gateway: agents use opaque tokens, never real keys
const devbox = await runloop.devboxes.create({
blueprintId: 'bp_agent_runtime',
credentials: [
{ name: 'RL_ANTHROPIC', secret: 'anthropic-api-key' },
{ name: 'RL_GITHUB', secret: 'github-pat-readonly' }
]
});
// Inside the Devbox:
// process.env.RL_ANTHROPIC = "opq_xyz..." (opaque, devbox-bound)
// Real key never touches the Devbox. Token dies on termination.
// MCP Hub: per-tool access control with pattern matching
const mcpConfig = await runloop.mcpConfigs.create({
name: 'github-readonly',
allowedTools: ['github.search_*', 'github.get_*', 'github.list_*']
// github.delete_*, github.merge_* are invisible to the agent
});
``````bash
# Credential Gateway: inject opaque tokens into Devbox
runloop devbox create \
--blueprint "bp_agent_runtime" \
--credential "RL_ANTHROPIC=anthropic-api-key" \
--credential "RL_GITHUB=github-pat-readonly"
# MCP Hub: define tool-level access control
runloop mcp-config create \
--name "github-readonly" \
--allow "github.search_*" \
--allow "github.get_*" \
--allow "github.list_*"
# Network Controls: DNS-level egress enforcement
runloop network-policy create \
--name "runtime-locked" \
--allow "api.anthropic.com" \
--allow "*.github.com"
```
Four infrastructure primitives for agent securit
Each layer is an independent primitive from the [Runloop Platform](/product). Together they form a defense-in-depth architecture that no competitor provides.
Opaque tokens replace real credentials on every Devbox. Bound to a single environment, expire on termination. Even if extracted through prompt injection, tokens are useless outside the originating Devbox.
Single endpoint for all agent tools with per-tool permissions via pattern matching. Restricted tools are invisible to the agent. Every invocation logged with user, tool, timestamp, and outcome.
Each Devbox runs in a dedicated MicroVM with its own kernel, filesystem, and network namespace. Hardware-enforced boundaries via custom bare-metal hypervisor. No shared compute between tenants.
DNS-level egress allowlists block all traffic to unlisted domains. Lifecycle-aware policies restrict access per stage: broad during build, locked during runtime. Every blocked connection logged.
Your agents use credentials without ever holding the
Credential theft through prompt injection is already happening in production. Prompt-injected PR comments have caused GitHub Copilot to exfiltrate AWS keys from private repositories via encoded image requests (CSO Online). Link Trap attacks coerce models into packaging credentials into attacker-controlled URLs (Keysight / Trend Micro). In every case, the root cause is the same: real credentials exist in the agent's environment, and a single successful prompt injection extracts them
Runloop Credential Gateway eliminates this attack surface entirely. Real credentials never exist on the Devbox. The gateway issues an opaque token that is bound to a specific Devbox, expires when that Devbox terminates, and only works through Runloop's proxy infrastructure. The agent uses the token exactly like a normal API key -- two fields change (base URL and key source) and every SDK call works as before. The gateway injects the real credential server-side and proxies to the upstream API with typically less than 10ms of added latency.
No other agent infrastructure provider offers an equivalent mechanism. E2B, Daytona, Modal, and CodeSandbox all inject real credentials into the execution environment, leaving them extractable through the same attack patterns documented above.
One endpoint for all agent tools, with per-tool permissions
Over-privileged MCP agents have already leaked secret tokens and credentials when prompted by attacker-controlled data inputs -- documented in incidents involving Supabase MCP and Obsidian RAG integrations. Unrestricted tool access is as dangerous as unrestricted code execution. Runloop MCP Hub aggregates all tool servers behind a single endpoint and gives you fine-grained control over which tools each agent can access. Your agent connects to one URL, sees a unified tool list filtered by its permissions, and calls tools by name. The Hub handles connection management, credential injection, access control, and routing.
Defense in depth across four infrastructure layers
Each layer operates independently. A failure at one layer does not compromise the others.
The Credential Gateway replaces real API keys with opaque, devbox-bound tokens. Even if an agent is compromised through prompt injection, the extracted token is useless outside the originating environment. Real credentials are injected server-side and never touch the Devbox.
MCP Hub enforces per-tool permissions using pattern matching. Agents only see the tools they are authorized to use -- restricted tools are invisible. Every invocation is logged with full context for compliance auditing.
Each Devbox runs inside a dedicated MicroVM on bare-metal infrastructure with two isolation layers: the hypervisor boundary and a container boundary within it. No shared kernel, no shared state, no cross-tenant access. Ephemeral by default -- environments are destroyed after use.
DNS-level allowlists block all egress traffic to unlisted domains. Lifecycle-aware policies restrict access per stage: package registries during build, API endpoints during runtime, nothing during snapshots. Every blocked connection is logged.
The only platform that gives you both the control plane and the data plane
With BYOC, both the control plane and the data plane run inside your cloud account. No other agent infrastructure provider offers this.
E2B, Daytona, Modal, and CodeSandbox inject real credentials into the execution environment. Runloop is the only platform where credentials are replaced with opaque, environment-bound tokens that are useless if extracted.
No competing platform offers per-tool permissions for agent tool access. MCP Hub provides pattern-based filtering, token binding, and full audit trails as a built-in infrastructure primitive.
Runloop SaaS or BYOC inside your own AWS, GCP, or Azure account. In BYOC, both the control plane and the data plane run in your cloud -- you own the infrastructure, network boundaries, and data residency. No other agent platform offers this.
Security and compliance questions
Common questions about Runloop's security architecture, credential protection, and compliance posture for enterprise AI agent deployments.
