Credentials for LangChain agents

Use it

One import, one resolver. Existing LangChain tools that read process.env (ChatOpenAI, SerpAPIWrapper, Tavily, etc.) keep working unchanged.

from secr.langchain import SecrCredentials
from langchain_openai import ChatOpenAI

# Resolve allowlisted secrets via an agent token.
# SECR_AGENT_TOKEN comes from the env — never commit it.
creds = SecrCredentials(
    token=os.environ["SECR_AGENT_TOKEN"],
    org="acme",
    project="support-bot",
    env="production",
)

# Push allowlisted secrets into os.environ — ChatOpenAI picks up
# OPENAI_API_KEY automatically. Existing env vars are not overwritten.
creds.materialize_env()

llm = ChatOpenAI(model="gpt-4o-mini")

# Or resolve a single key on demand
slack_token = creds.get("SLACK_BOT_TOKEN")

Server-enforced allowlist

The agent token has a server-side allowlist of which secret keys it can read. A compromised agent — bad model output, prompt injection, supply-chain attack — only sees the keys you whitelisted.

# Only the keys you allowlisted on the agent token resolve.
# Anything else raises KeyError — the API never returns the value.
try:
    creds.get("STRIPE_API_KEY")
except KeyError as e:
    print(e)
# → "Secret 'STRIPE_API_KEY' not found or not in agent allowlist
#    for acme/support-bot/production"

There's no client-side bypass — the API never returns the value, so even a patched SDK can't get a key the server hasn't allowlisted.

What you get

Read next

• secr for CrewAI — per-tool credential scoping
• The /agents pillar — threat model + every integration
• secr vs Doppler, Infisical, Vault — for AI agents
• @secr/mcp — for Claude Code, Cursor, Continue, Copilot