Run AI coding agents with Doppler

Give every coding agent its own scoped, read-only, expiring set of credentials. Injected at runtime, kept out of your project files, never editable by the agent itself.

Why this matters

AI coding agents can run commands, call APIs, and edit files on your behalf. To do that they need credentials. The default path is dangerous: drop keys into a .env, let the agent read the whole file, and hope it doesn't echo a secret into a log, a commit, or a prompt it sends upstream.

Doppler helps solve this problem today. There are two halves to connecting an agent, and you'll usually set up both:

  1. Inject scoped-down secrets at runtime: Use a branch config in Doppler to only hold secrets a given agent needs. You can use a scoped, read-only, expiring service token bound to that config and use doppler run to inject those secrets as environment variables into the agent process at launch. The credentials live in the process environment for the life of the process, never in a .env or project file, and never editable by the agent.
  2. Connect the Doppler MCP server. The agent gets a read-only window into Doppler itself: listing projects, inspecting configs, understanding the secret layout before it writes code that depends on it.

The result: the agent gets exactly the credentials it needs for the task, plus the context to use them well, and it can't read, modify, or persist anything it shouldn't. Learn how to get started in each of the provider tools below.

Choosing your agent's identity

IdentityBest forNotes

Scoped service token (above)

Individual developers, any plan

Read-only, bound to one config, expiring. The default. Simplest path.

Service Account Identity (OIDC)

Teams, CI, no static tokens

Team plan feature. Cleaner for shared/automated environments, with no long-lived token. Useful when you've outgrown service tokens.

Why Doppler for agents?

Give your agents only the access they need.

Built-in MCP access

The Doppler MCP server gives agents read-only access to projects and configs, providing context without holding the keys.

Expiring tokens

Short lifetimes with built-in rotation removes the potential ramifications of long-lived access.

Read-only by default

Service tokens fetch secrets but can't change them, so the agent can't tamper with its own credentials.

No secrets in your repo

Injected at runtime instead of written to a .env, so agents can't read, log, or commit them.

Scoped blast radius

One config per agent keeps a risky automated task isolated from your everyday assistant.

Full audit trail

Every secret access is logged, so you can see exactly what the agent touched and when.

Pick your tool