Skip to content

CONCEPT Cited by 1 source

Outbound proxy credential injection

Definition

An agent-egress security pattern in which secrets are never made available inside the agent's sandbox. Instead, every outbound request from the sandbox passes through a credentialed outbound proxy that injects the credential server-side — i.e. outside the sandbox — into the request before it leaves the operator's perimeter.

The structural property: the agent never has access to API keys, OAuth tokens, database passwords, or any other long-lived credential. The agent emits a request as if it had the credential; the proxy adds the credential after the fact; whatever the agent does inside the sandbox cannot exfiltrate something it never held.

Canonical disclosure

The concept was crystallised in Cloudflare's Claude Managed Agents launch post (2026-05-19), quoted directly:

"sandboxed workloads on Cloudflare can use an outbound proxy for fully dynamic, customizable, and zero-trust authentication between sandboxes and external services. This lets you inject secrets into requests outside the sandbox, so the agent never has access to them. This protects against exfiltration attacks."

(Source: sources/2026-05-19-cloudflare-announcing-claude-managed-agents-on-cloudflare.)

The deployment shape is canonicalised at patterns/outbound-worker-proxy-for-agent-egress.

Threat model the pattern targets

A modern agent's threat model has two axes:

  1. Untrusted code in the sandbox — the agent runs LLM- generated commands, executes scraped HTML, processes user input. A credential inside the sandbox is a credential inside the attacker's reach the moment any of those inputs triggers a malicious behaviour.
  2. Untrusted code-paths in the agent's tool calls — even if the agent itself is well-behaved, individual tool calls may touch hostile endpoints, prompt-injection payloads, or adversarial tool outputs. Anything the tool call can read (env vars, files, memory) can leak via subsequent tool calls.

The pattern eliminates both: the credential lives only in the proxy's secure storage. The agent never sees it; the sandbox's filesystem never holds it; environment variables in the sandbox don't leak it. Exfiltration requires compromising the proxy itself — a much smaller attack surface than the agent's tool runtime.

What the proxy does (per the launch post)

The post enumerates the proxy's responsibilities:

  • Inject secrets into requests outside the sandbox — the load-bearing property.
  • Allowlist specific endpoints — the agent's outbound URL set is a closed list per tenant / per agent.
  • Access private services via Cloudflare Mesh / Workers VPC — the proxy can reach internal endpoints the sandbox cannot. See systems/cloudflare-mesh / systems/cloudflare-workers-vpc.
  • Apply egress policy per tenant, per agent, or based on whatever metadata is useful — programmatic policy, not static allowlists.
  • Run custom proxy middleware — operators inject business logic into the proxy path.

Composition with adjacent concepts

  • Composes with concepts/capability-based-sandbox — the Dynamic-Workers-tier sandbox starts with no ambient authority (globalOutbound: null); the egress proxy is the single bound capability that any outbound request must flow through. The capability model means the agent can't bypass the proxy by reaching a default network stack — there isn't one.
  • Composes with concepts/agent-brain-hands-decoupling — once the hands are operator-controlled, the operator controls the egress path; the brain (Anthropic) doesn't see any of the operator's secrets. This is structurally important — Anthropic's vendor risk surface shrinks; the operator's compliance boundary doesn't extend to a third party.
  • Sibling to patterns/credentialed-proxy-sandbox — Cloudflare's Agent Lee post (2026-04-15) canonicalised credentialed-proxy-sandbox at the user-account- permission altitude (sandbox can call read APIs freely, write APIs require an elicitation gate). The Claude Managed Agents post extends the same shape to the general egress altitude (every byte goes through a credentialed proxy that the operator defines per tenant).
  • Sibling to patterns/agent-sandbox-with-gateway-only-egress — Redpanda's ADP post (2026-04-14) canonicalised the same shape at the data-plane- ingestion altitude (agents reach external systems only via the ADP gateway; auth flows out-of-band from the sandbox). Three independent canonical instances now co-exist in the wiki: Cloudflare, Redpanda, Anthropic-via-Cloudflare. The thesis is converged.

Why "egress is the only boundary"

The deeper property the pattern asserts: inside the sandbox, nothing else matters as a security boundary. Filesystem permissions, env-var hygiene, kernel hardening, syscall filters — all are useful but auxiliary; the structural invariant is that nothing of value leaves except via a path the operator controls. From the post: "this protects against exfiltration attacks." Once egress is the chokepoint, the other surfaces become defence-in-depth, not the primary control.

Seen in

Last updated · 542 distilled / 1,571 read