Artificial Intelligence 1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials 1Password says AI coding agents should never hold persistent secrets, introducing a just-in-time credential model for OpenAI Codex designed to keep credentials out of prompts, code repositories, and model context. By Kevin Townsend | May 20, 2026 (9:34 AM ET) Flipboard Reddit Whatsapp Whatsapp Email 1Password has partnered with OpenAI to address one of the growing security concerns surrounding AI-powered software development: protecting enterprise credentials from leakage, theft, or misuse by agentic coding systems. The companies on Tuesday announced a new integration for OpenAI Codex that gives AI coding agents access to credentials during development workflows without exposing those secrets in prompts, source code, repositories, terminals, or the model’s context window. AI coding has become the de facto go-to tool for developing new apps. But there are two issues with this approach: the coding tool is agentic AI and inherits all the agentic security concerns; and app development requires widespread company access to credentials. “Every action that AI coding agents take against a database, an API, or a deployment pipeline requires access to credentials,” explain Dennis Kromhout van der Meer and Robert Menke in an accompanying blog post. “Today, these credentials typically live in .env files, scripts, or hardcoded in repositories, where they can be easily exfiltrated and are difficult to govern and audit.” Developing software with a coding agent effectively concentrates multiple secrets into a location that is not inherently secure. The agent could store, leak or expose the secrets. The agent also becomes a high value target for adversaries seeking to steal credentials via prompt injection. 1Password has introduced an Environments MCP Server for Codex in a partnership with OpenAI. It gives Codex access to credentials directly inside coding workflows while keeping those secrets out of prompts, code, and model context. Credentials are issued just-in-time and scoped to the task, while keeping them outside the model’s context window. Advertisement. Scroll to continue reading. “As coding agents take on more of the software development lifecycle, the question isn’t whether to give them access, but how,” says Nancy Wang, CTO at 1Password. “A credential that persists is already compromised. That’s why just-in-time credentials are the only viable security model for AI-native development.” Learn About Securing AI at the AI Risk Summit | Ritz-Carlton, Half Moon Bay The 1Password MCP ensures these secrets never leave 1Password. It provides a secure runtime environment where secrets are mounted, used, and discarded, with user authentication required at the moment of access. The credentials never appear in code, terminals, or model context. The MCP uses 1Password’s vault technology. Secrets remain end-to-end encrypted and centrally managed, with access limited to authorized users and groups, and through custom permissions. It allows teams to use Codex without multiplying the risk by the size of the team. At runtime, 1Password injects the required variables directly into the application process when it runs. The values exist in memory only for the authorized process, and only for as long as the process needs them. The process streamlines the coders’ workflow (for example, by eliminating the need for a manual secrets cleanup) and ensures the security team retains oversight of how secrets are accessed. 1Password thinks of its new Environments MCP Server for Codex as a proof point for a broader thesis about the future of agent access. “Coding agents are the leading edge of a larger shift: AI agents joining the workforce and needing real access to real systems. Every one of them will need credentials, but none of them should have custody of those credentials,” states the blog. “1Password is building the access architecture for a future where every agent: coding, operational, and customer-facing gets access through the same trusted layer. Codex is where that future starts.” Related : Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking Related : Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments Related : Malicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: Google Related : Cursor AI Vulnerability Exposed Developer Devices Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks Mythos Proves Potent in Vulnerability Discovery, Less Convincing Elsewhere Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’ Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 Malware Build Application Firewalls Aim to Stop the Next Supply Chain Attack Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking AI Coding Agents Could Fuel Next Supply Chain Crisis Hacker Conversations: Joey Melo on Hacking AI Latest News Anthropic Silently Patches Claude Code Sandbox Bypass Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack Caught Off Guard: Securing AI After It Hits Production Real-World ICS Security Tales From the Trenches Virtual Event Today: Threat Detection & Incident Response Summit GitHub Confirms Hack Impacting 3,800 Internal Repositories Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector Drupal to Patch Highly Critical Vulnerability at Risk of Quick Exploitation Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the Move Tim Byrd has been appointed Chief Information Security Officer at First Citizens Bank. IRONSCALES has named Steve McKenzie as Chief Operating Officer. Silvio Pappalardo has joined AuthMind as Chief Revenue Officer. More People On The Move Expert Insights Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email