arXiv SUDP — Secret-Use Delegation Protocol for Agentic Systems
AI relevance: Today's agent runtimes place reusable secrets inside the agent process, meaning a single prompt injection or tool-side compromise becomes durable account compromise — SUDP proposes a protocol where agents can act with user authority without ever holding reusable credentials.
Overview
Researchers published an updated version of arXiv:2604.24920v3 introducing the Secret-Use Delegation Protocol (SUDP), a formal framework for agentic secret management. The paper identifies the Agent Secret Use (ASU) problem: how can an untrusted autonomous agent cause a user-authorized, secret-backed operation without gaining reusable authority over the underlying secret?
Key Findings
- Authorization by exposure is the default: Current agent runtimes enable action by placing reusable secrets — or artifacts derived from them — inside the runtime. A transient prompt injection then becomes durable account compromise.
- Seven security properties formalized: The paper defines seven properties any solution must satisfy, spanning authorization integrity and secret confidentiality, providing the first common specification for agentic secret handling.
- Three-party protocol: SUDP introduces a requester (proposes operation), user (authorizes with fresh authenticator-backed grant), and custodian (redeems the grant). Reusable authority never crosses the requester boundary.
- Hardware-rooted enforcement: Under standard cryptographic assumptions, SUDP satisfies all seven properties when integrated with a hardware-rooted runtime (e.g., TEE-based attestation).
- Reference implementation available: A working implementation is published at github.com/xhyumiracle/sudp.
Why It Matters
As agents gain access to APIs, messaging platforms, and cloud services on behalf of users, the question of how secrets are managed inside agent runtimes becomes critical. Existing defenses cover individual pieces — secret storage, scoped delegation, sender-constrained tokens — but leave the combined problem unsolved. SUDP formalizes what has been an ad-hoc problem space and provides a reference architecture that agent framework developers can adopt rather than inventing incompatible approaches.
What to Do
- Audit agent secret handling: Review how your agent frameworks store and access credentials. If secrets live in plaintext in agent memory or config files, a single prompt injection grants durable access.
- Prefer just-in-time credentials: Use short-lived, single-use tokens where possible rather than long-lived API keys embedded in agent contexts.
- Watch for SUDP adoption: As agent frameworks mature, look for those adopting formal secret delegation patterns rather than ad-hoc credential management.
- Separate agent identity from user identity: Where possible, use distinct service accounts for agent operations rather than user-level credentials with broad permissions.