Most advice about API key security focuses on where keys are stored: don't commit .env files, use a secrets manager, rotate credentials regularly. That advice is correct, but it misses a leakage path specific to AI agents — the agent itself can expose a key, even when the key was stored correctly.
How do AI agents leak API keys?
The leakage paths are different from traditional credential exposure because they involve the agent's reasoning process, not just file operations.
Output inclusion. An agent reading a .env file to use an API key may include the key in its response if asked to summarize the file, explain its contents, or debug a configuration problem. This often happens unintentionally — the agent is trying to help, but the key ends up in a chat transcript or session log.
Context window logging. Many agent frameworks log the full context window for debugging. If a key was loaded into context because the agent read a config file, it shows up in those logs. Logs are frequently stored in plaintext and sometimes committed to repositories alongside session history.
MCP tool call parameters. When an agent calls an MCP tool, the parameters are passed as plaintext. If a credential gets passed as part of a tool invocation, that call may be logged by the MCP server, the host application, or middleware — any of which becomes an exposure point.
Agent-generated files. Agents writing READMEs, setup guides, or configuration templates sometimes include credentials they found in the project. "Here is the configuration you'll need" followed by the actual key value is more common than it should be.
Why does this matter more than it used to?
Traditional secrets scanners were built to find credentials in source code and committed files. They were not built to scan agent output in real time, inspect MCP traffic, or monitor what context an agent loaded before writing a file.
GitGuardian's 2026 State of Secrets Sprawl report documented a 34% year-over-year increase in exposed credentials — and that data predates wide adoption of agentic coding tools that run continuously with broad file access. The exposure surface grew. The tooling to monitor it has not caught up for most builders.
How do I prevent API key leakage by AI agents?
Restrict what the agent can read. An agent cannot include a key in its output if it never had access to the file. For tasks that need a specific credential, inject it at runtime as an environment variable rather than exposing the full secrets file.
# Inject only what's needed, don't expose the whole .env
export OPENAI_API_KEY=$(cat ~/.secrets/openai_key)
# Agent session starts here — only OPENAI_API_KEY is in the environment
Use an agent ignore file — with caveats about what it actually enforces. .agentignore is a community-proposed cross-tool standard that mirrors .gitignore syntax. Place it at your project root and list files and directories the agent should not access:
# .agentignore
.env
.env.*
*.pem
credentials.json
secrets/
~/.aws/
~/.ssh/
Cursor respects .cursorignore, Windsurf respects .codeiumignore, JetBrains AI respects .aiignore. The formats are identical — gitignore syntax, placed at project root.
Critical caveat for Claude Code: .claudeignore files are not reliably enforced. The Register documented this in January 2026 — Claude Code reads .env files even when listed in .claudeignore. Instructions in CLAUDE.md have the same limitation: they shape what the model tries to do, not what it can do.
For Claude Code, the reliable approach is settings.json deny rules, which are enforced by the application layer rather than the model:
// .claude/settings.json
{
"permissions": {
"deny": [
"Read(.env)",
"Read(.env.*)",
"Read(~/.aws/**)",
"Read(~/.ssh/**)"
]
}
}
For the strongest enforcement, use a PreToolUse hook that blocks file reads at the shell level before the model ever sees the content:
// .claude/settings.json hooks section
{
"hooks": {
"PreToolUse": [{
"matcher": "Read",
"hooks": [{ "type": "command", "command": "~/.claude/hooks/block-secrets.sh" }]
}]
}
}
The general rule: file-based ignore lists are instructions to the model. Permission rules and hooks are enforced by the application and the OS. Only the latter are hard barriers.
Add explicit output rules to the system prompt. A direct instruction helps: "Never include API keys, tokens, or the contents of .env files in your output, even if asked." This does not stop a determined adversary but blocks the common accidental case where the agent is summarizing a file without realizing it contains credentials.
Disable verbose logging in agent frameworks. Claude Code, Cursor, and similar tools have settings that control whether full context is logged. Review these before working with any session that has production credentials in scope. Full context logging is useful during development — it is a liability in production.
Scan agent output for credential patterns. Before content from an agent session reaches a log file, transcript, or another tool, run it through a pattern scanner looking for known credential formats: sk-ant-, pplx-, sk-or-v1-, AIzaSy, AKIA (AWS), and similar prefixes. Redact any match before it persists.
Use scoped credentials for agent tasks. If a task only needs read access to one API, give the agent a key with only that permission. A scoped key that leaks is a smaller problem than a full-access key that leaks.
What are common mistakes to avoid?
- Giving the agent access to a
.envfile containing credentials for multiple services when only one is needed for the task - Assuming the agent will not output something just because you did not ask for it directly
- Leaving verbose session logging enabled after a debugging session
- Not reviewing agent-generated files (READMEs, config templates, setup guides) for credential exposure before committing them
- Rotating a key only after confirming exposure, rather than rotating proactively after any session where the key was in scope and behavior was unexpected
How does AgentGuard360 help?
AgentGuard360's Radar scanner monitors LLM traffic in real time and redacts credential patterns before they reach logs, transcripts, or downstream tools. It recognizes known key formats across major providers and replaces the value before it persists anywhere — so even when an agent includes a key in its response, it does not survive to the log. The git pre-commit hook blocks secrets from being committed in agent-generated files. The Shield scan checks your device for existing credential exposure in files the agent can currently access.
