what should a password manager for ai agents do?
A human password manager is designed around a person choosing a login and filling it into a trusted browser. An agent password manager must also decide which agent can retrieve which credential, for how long and with what record of access.
storing a secret is only the first problem
A traditional vault answers where a password lives. It does not automatically answer whether an agent should receive it now. Agent authentication needs a permission layer tied to the connected agent, the requested account and the duration of access.
Broad vault access is convenient, but it increases the impact of prompt injection, a compromised MCP server or an agent that writes secrets into its own logs.
retrieval and injection have different risks
Some runtimes retrieve a password as a tool result. That lets the agent use the value anywhere, but the value may enter model context or traces. Browser injection can keep the password away from the model, but it requires control of the browser and still does not authorize the resulting action.
Decoy currently returns an approved password to the local agent runtime. The server remains blind, but the runtime determines whether the password is logged, placed in model context or passed to another tool. A browser extension path can provide a tighter boundary for normal autofill workflows.
a useful agent password manager needs five controls
- Account scope so the agent does not receive unrelated logins.
- Field scope so a task can request a password, TOTP, address or card separately.
- Duration so access can expire automatically.
- Revocation so future retrieval stops immediately.
- An audit record that names the connected agent and accessed information.
Decoy combines the login with the rest of the task
A password often is not enough. The same workflow may need an emailed code, live TOTP, passkey assertion or checkout details. Decoy puts those behind the same user-controlled connection instead of requiring separate Gmail, password-manager and autofill integrations.
common questions
does the AI agent receive the plaintext password?
Yes, in the current MCP retrieval flow. The password is decrypted locally for the approved agent. Decoy's server never receives plaintext, but the agent runtime must handle the value safely.
can users import existing passwords?
Users do not need to migrate everything. They can add only the accounts an agent needs. Decoy imports from Apple Passwords, and CSV data from other managers can be saved through the API.
does revoking access rotate a password?
No. Revocation stops future Decoy retrieval. If an agent may have retained a reusable password, the user should rotate that password.
