Every enterprise security review of an AI agent eventually lands on the same question: where do the credentials go, and can the model see them? It’s the right question to ask. An agent that acts in Salesforce, GitHub, or Workday needs access to those systems, and the obvious (but dangerous) way to grant it is to hand the token to the model and hope it behaves. The moment a token enters the prompt or the context window, it can leak through a log line, a trace, or a cleverly worded prompt.

So the answer enterprises actually need is simple: the LLM should never touch a credential at all. That’s how Arcade.dev is built.

The model reasons, Arcade holds the keys

Arcade is the actions runtime that sits between the agent and the systems it acts on. When an agent decides to take an action, it doesn’t receive a token and call the API itself. It asks Arcade to perform the action. Arcade holds the credential, makes the call, and returns only the result. The model works with intent and outcomes, “update the Acme opportunity” going in and “the record is updated” coming back, never the secret that made the call possible. Credentials live in the runtime, not the reasoning loop.

Diagram: an LLM's reasoning produces text on the left and connects through MCP to Arcade.dev, which performs the action and produces a transaction on the right.

That separation is the whole point. The LLM is the worst place in the stack to keep a secret, because everything it sees can end up somewhere you didn’t intend. By keeping tokens out of the context window entirely, prompt injection loses its prize. There’s nothing within the model’s reach to steal.

Authorization happens at the moment of action

Arcade uses just-in-time delegated OAuth. The user prompts first, and authorization happens at the moment of action, scoped to exactly what that action requires. Arcade brokers the OAuth flow and integrates with your existing identity provider, whether that’s Okta, Ping, or Entra, instead of minting a standing super-credential the agent carries around. There are no service accounts and no over-scoped tokens waiting to be abused. Every call enforces least privilege at runtime, at the intersection of what the agent is allowed to do and what the user is allowed to do.

Arcade manages the full token lifecycle

Issuing a token once is straightforward. Keeping it safe over time is where do-it-yourself implementations break. Arcade manages the full token lifecycle (refresh, rotation, and mismatch) so credentials stay current and contained without the agent ever handling them. Secrets are managed by the runtime and decoupled from both the agent and the downstream systems it touches. Your AI team builds the agent. Arcade handles the credential plumbing underneath it that security cares about.

Why this clears security review

Credential exposure is one of the fastest ways to get an agent project blocked, and security teams are right to push on it. A leaked token is a breach, and an over-scoped agent is a breach waiting to happen. When credentials never reach the model, the threat model changes. A prompt injection attempt becomes a logged event instead of a stolen key.

Because Arcade is the single point every action passes through, it’s also the single place to prove what happened: which user, which agent, which system, and what action. Those audit logs export to your security information and event management (SIEM) system via OpenTelemetry, so the same isolation that protects your credentials also produces the evidence your auditors ask for.

The payoff is practical. Security approves the enforcement layer once, and every agent after the first ships against the same foundation. At a top-tier financial institution that spent months unable to get agents past security, this model is what cleared the wall. One team in wealth management became four, then a firm-wide standard.

The short version: an agent needs access to do real work, but it does not need to hold the keys. Arcade keeps credentials in the runtime and out of the LLM, authorizes every action just in time against your own identity provider, and manages the token lifecycle so nothing leaks and nothing lingers. The model gets to reason and act. The secrets stay where your security team can see them.