Give every coding agent its own scoped, read-only, expiring set of credentials. Injected at runtime, kept out of your project files, never editable by the agent itself.
AI coding agents can run commands, call APIs, and edit files on your behalf. To do that they need credentials. The default path is dangerous: drop keys into a .env, let the agent read the whole file, and hope it doesn't echo a secret into a log, a commit, or a prompt it sends upstream.
Doppler helps solve this problem today. There are two halves to connecting an agent, and you'll usually set up both:
The result: the agent gets exactly the credentials it needs for the task, plus the context to use them well, and it can't read, modify, or persist anything it shouldn't. Learn how to get started in each of the provider tools below.
| Identity | Best for | Notes |
|---|---|---|
Scoped service token (above) | Individual developers, any plan | Read-only, bound to one config, expiring. The default. Simplest path. |
Service Account Identity (OIDC) | Teams, CI, no static tokens | Team plan feature. Cleaner for shared/automated environments, with no long-lived token. Useful when you've outgrown service tokens. |
Give your agents only the access they need.
Protect secrets across your entire stack with centralized management, automated workflows, and the flexibility to deploy in the cloud or on-prem.
