Bitwarden Agent Access SDK integrates with OneCLI for secure credential injection
What this is
Bitwarden has launched an Agent Access SDK that allows AI agents to request credentials from Bitwarden's vault through a human approval workflow. OneCLI is an open-source gateway that implements this SDK by sitting between agents and external APIs, injecting credentials into requests at the network layer.
How it works
Instead of agents fetching and storing API keys in memory (where they're extractable, loggable, and vulnerable to prompt injection), this approach keeps credentials encrypted in Bitwarden's vault until explicitly approved. When an agent needs a credential, it requests access through Bitwarden's SDK, the user approves via Bitwarden CLI, and OneCLI injects the credential into outgoing API requests without the agent ever seeing the raw value.
Key features and configuration
OneCLI proxies every API call the agent makes and handles policy enforcement. The source provides these configuration examples:
# Configure Bitwarden as credential source
onecli provider add bitwarden \
--vault-url "https://vault.bitwarden.com"
Rate-limit API calls per service
onecli rules create
--name "Stripe rate limit"
--host-pattern "api.stripe.com"
--action rate_limit
--rate-limit 10
--rate-window 1h
Bitwarden adds a mature approval workflow backed by enterprise key management. When a user approves a credential request, OneCLI handles the injection and policy enforcement on every subsequent API call.
What users get
- Credentials stay in Bitwarden's encrypted vault until explicitly approved by a human
- OneCLI proxies every API call the agent makes, injecting credentials at the network layer
- Rate limiting and policy enforcement apply to every proxied request
- Audit trail covers both approval (Bitwarden side) and usage (OneCLI side)
- Works with any agent framework that makes HTTP calls to external services
Availability
Both projects are open source. Bitwarden's Agent Access SDK is at github.com/bitwarden/agent-access and OneCLI is at github.com/onecli/onecli. The integration is currently in alpha.
📖 Read the full source: HN AI Agents
👀 See Also
AI-Built Apps Are Fragile: Why Small Changes Break Data Isolation and Permissions
Developers report that AI-generated apps (via Claude Code, Cursor) silently break login, permissions, and data isolation when small changes are made, because AI models lack understanding of original system intent like ownership rules.
AISI Evaluation Shows Claude Mythos Preview's Cyber Capabilities in CTF and Multi-Step Attacks
The AI Security Institute evaluated Anthropic's Claude Mythos Preview, finding it successfully completed 73% of expert-level capture-the-flag challenges and solved a 32-step corporate network attack simulation in 3 out of 10 attempts.
Delimiter defense boosts Gemma 4 from 21% to 100% prompt injection defense in 6100+ test benchmark
A benchmark tested 15 models across 7 attack types (6100+ tests) using random delimiters around untrusted content. Gemma 4 E4B went from 21.6% to 100% defense rate with delimiter + strict prompt.
Tool Authority Injection in LLM Agents: When Tool Output Overrides System Intent
A researcher demonstrates 'Tool Authority Injection' in a local LLM agent lab, showing how trusted tool output can be elevated to policy-level authority, silently changing agent behavior while sandbox and file access remain secure.