1Password has partnered with OpenAI to address one of the growing security concerns surrounding AI-powered software development: protecting enterprise credentials from leakage, theft, or misuse by agentic coding systems.
The companies on Tuesday announced a new integration for OpenAI Codex that gives AI coding agents access to credentials during development workflows without exposing those secrets in prompts, source code, repositories, terminals, or the model’s context window.
AI coding has become the de facto go-to tool for developing new apps. But there are two issues with this approach: the coding tool is agentic AI and inherits all the agentic security concerns; and app development requires widespread company access to credentials.
“Every action that AI coding agents take against a database, an API, or a deployment pipeline requires access to credentials,” explain Dennis Kromhout van der Meer and Robert Menke in an accompanying blog post. “Today, these credentials typically live in .env files, scripts, or hardcoded in repositories, where they can be easily exfiltrated and are difficult to govern and audit.”
Developing software with a coding agent effectively concentrates multiple secrets into a location that is not inherently secure. The agent could store, leak or expose the secrets. The agent also becomes a high value target for adversaries seeking to steal credentials via prompt injection.
1Password has introduced an Environments MCP Server for Codex in a partnership with OpenAI. It gives Codex access to credentials directly inside coding workflows while keeping those secrets out of prompts, code, and model context. Credentials are issued just-in-time and scoped to the task, while keeping them outside the model’s context window.
“As coding agents take on more of the software development lifecycle, the question isn’t whether to give them access, but how,” says Nancy Wang, CTO at 1Password. “A credential that persists is already compromised. That’s why just-in-time credentials are the only viable security model for AI-native development.”
Learn About Securing AI at the AI Risk Summit | Ritz-Carlton, Half Moon Bay
The 1Password MCP ensures these secrets never leave 1Password. It provides a secure runtime environment where secrets are mounted, used, and discarded, with user authentication required at the moment of access. The credentials never appear in code, terminals, or model context.
The MCP uses 1Password’s vault technology. Secrets remain end-to-end encrypted and centrally managed, with access limited to authorized users and groups, and through custom permissions. It allows teams to use Codex without multiplying the risk by the size of the team.
At runtime, 1Password injects the required variables directly into the application process when it runs. The values exist in memory only for the authorized process, and only for as long as the process needs them. The process streamlines the coders’ workflow (for example, by eliminating the need for a manual secrets cleanup) and ensures the security team retains oversight of how secrets are accessed.
1Password thinks of its new Environments MCP Server for Codex as a proof point for a broader thesis about the future of agent access. “Coding agents are the leading edge of a larger shift: AI agents joining the workforce and needing real access to real systems. Every one of them will need credentials, but none of them should have custody of those credentials,” states the blog. “1Password is building the access architecture for a future where every agent: coding, operational, and customer-facing gets access through the same trusted layer. Codex is where that future starts.”
Related: Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking
Related: Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments
Related: Malicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: Google
