LangSmith Auth Proxy: Keeping Credentials Out of Agent Sandboxes
Summary
- • LangSmith Auth Proxy injects credentials at the network layer, not inside the sandbox
- • Agents can now call approved APIs without ever seeing the underlying API keys
- • Teams can enforce egress policies limiting which hosts sandboxed agents can reach
- • The design reduces blast radius from prompt injection, malicious packages, and logging leaks
Details
LangSmith Auth Proxy introduced for agent sandboxes
The proxy sits on the outbound network path from LangSmith Sandboxes, intercepting agent HTTP requests and injecting auth headers before they reach external services. Credentials are never placed inside the sandbox runtime as environment variables or files.
Agents at scale are analogous to millions of untrusted developers with broad access
Unlike a single developer whose access can be monitored and constrained through endpoint tooling, agent deployments can spawn thousands of concurrent instances that run code, install packages, and call external APIs. The attack surface scales with the number of agents.
Credentials are injected at the network layer, never exposed inside the runtime
The proxy intercepts outbound requests and applies authentication headers externally. This means a compromised agent — whether via prompt injection, a malicious dependency, or a model error — cannot read or exfiltrate the underlying API key, because the key never enters the sandbox environment.
Egress policies restrict which external hosts agents are permitted to contact
Teams can define allowlists encoding which destinations — such as OpenAI, Anthropic, GitHub, or internal APIs — a given sandbox may reach. Anything outside that list is blocked at the infrastructure level rather than relying on the agent's own judgment.
Dynamic credential flows support user-scoped APIs and token refresh
The proxy can handle short-lived, user-scoped tokens and coordinate with an external auth service for refresh cycles, enabling agents to act on behalf of specific users without holding long-lived secrets inside the sandbox.
Separating agent task logic from network authorization is the core design principle
The four-layer model assigns distinct responsibilities: agent handles the task, sandbox provides runtime isolation, proxy controls network auth and credential injection, and an auth service manages tokens. This separation means security properties hold even when agent behavior is unpredictable or adversarially influenced.
Agents' constrained task scope allows narrower network defaults than human developer environments
Human developers need open-ended access to explore and install new tools. Agents operating on defined tasks do not — which means the default network posture can be deny-by-default with explicit allowlists, a posture that would be impractical for humans but is appropriate for automated agents.
Product Launch = new feature or product, Security Alert = threat or vulnerability framing, Tech Info = how the system works, Insight = analytical observation or design principle
What This Means
As organizations deploy agents that autonomously run code and call external APIs, the credential management practices borrowed from human developer workflows — environment variables, config files — become a serious liability. The LangSmith Auth Proxy represents a shift toward treating agent network access as an infrastructure problem rather than an application problem: credentials and egress rules live outside the agent's reach entirely, so a compromised or manipulated agent cannot escalate into a credential leak. This matters most in enterprise settings where prompt injection attacks and supply-chain compromises in agent dependencies are realistic threat vectors, and where regulatory or compliance requirements demand auditable controls over what systems agents can contact.