Nº 017/Engineering/5 min read/
Building the Python SDK with No get() Method
The CLI and proxy made AgentSecrets a tool. Building the SDK was the decision that made it infrastructure.
That distinction shaped every decision in the SDK design, and the most visible one is the absence of a get() method. There is no way to retrieve a credential value from the SDK into calling code, no restricted path, no deprecated alternative — it was a deliberate omission from the start.
Why the SDK came before the Langchain integration
When we decided to build the SDK, the goal was specific. We wanted developers building MCP servers, agent tools, and framework integrations to be able to build on AgentSecrets in a way that gave their users the zero-knowledge guarantee without those users having to understand or configure anything.
The Zero-Knowledge MCP template was the first thing built on the SDK. A developer clones it, adds their tools, publishes their MCP server, and the users who install it get zero-knowledge credential management by default. The protection is in the architecture of what was built, not in what the end user set up.
The Langchain integration follows the same principle. A Langchain tool built on the SDK makes authenticated API calls without credential values entering the agent's context, and every agent using that tool inherits the guarantee from the single architectural decision the tool author made.
That is what infrastructure means in practice. The decision propagates downstream without requiring each downstream user to make it independently.
The no-get() decision
The decision not to include a get() method was made before the SDK was written, not derived from technical constraints after the fact.
A get() method would have made the SDK a more familiar library, since developers know how to retrieve values from secrets managers and the pattern is a comfortable one. It also would have made the SDK a secrets manager with a nicer interface rather than a layer that changes what agents can do with credentials.
The SDK's job is to make authenticated API calls on behalf of code that should not hold credential values, and that job does not require retrieval. Without a retrieval method, there is no accidental path, no convenience path, no workaround. The only available operations are call(), async_call(), spawn(), and spawn_async(), all of which route through the proxy and keep the value on the proxy side of the boundary.
When a developer reaches for the SDK and finds no get() method, they are not encountering a limitation. They are encountering the architecture. The secure path is the only path, because the SDK was built to make it that way.
What the SDK surface looks like
The core interface is intentionally narrow.
from agentsecrets import AgentSecrets
client = AgentSecrets()
# Make an authenticated API call
response = client.call(
"https://api.stripe.com/v1/balance",
bearer="STRIPE_KEY"
)
# Async version
response = await client.async_call(
"https://api.openai.com/v1/chat/completions",
bearer="OPENAI_KEY",
method="POST",
json={"model": "gpt-4", "messages": [...]}
)
# Spawn a subprocess with credentials injected
process = client.spawn(["python", "script.py"])
Six injection styles cover every REST and OAuth pattern: bearer, basic auth, custom header, query parameter, JSON body, and form field. The management layer exposes workspace operations, secret metadata, allowlist management, and the audit log. None of those operations return credential values.
Building on the SDK
The SDK is designed to be wrapped. A Langchain tool that calls external APIs builds on the SDK at initialization. An MCP server that needs to make authenticated calls uses the SDK for those calls. The credential management is handled by the infrastructure layer, and the tool author does not need to think about it beyond choosing the injection style.
from langchain.tools import BaseTool
from agentsecrets import AgentSecrets
class StripeTool(BaseTool):
name = "check_stripe_balance"
description = "Check the Stripe account balance"
client: AgentSecrets = AgentSecrets()
def _run(self, query: str) -> str:
response = self.client.call(
"https://api.stripe.com/v1/balance",
bearer="STRIPE_KEY"
)
return str(response.json())
The agent using this tool never had a chance to hold the key because there was no step in the execution where that was possible — the tool author wrote four lines of integration code and the guarantee was already in place.
MockAgentSecrets for testing
The SDK ships with a testing client that holds the guarantee in test environments.
from agentsecrets.testing import MockAgentSecrets
mock = MockAgentSecrets(secrets={"STRIPE_KEY": "sk_test_mock"})
response = mock.call("https://api.stripe.com/v1/balance", bearer="STRIPE_KEY")
assert mock.calls[0].credential_ref == "STRIPE_KEY"
assert mock.calls[0].target_domain == "api.stripe.com"
# mock.calls[0].value does not exist
# not None — the attribute is absent from the object entirely
The value field does not exist on call records even in the mock. A developer testing against MockAgentSecrets is testing the real contract, not a looser version of it. If something passes in the mock, it will behave the same way against the real proxy because the constraint is enforced at the object model level, not at the network level.
What comes next for the SDK
Python was first because it is where most AI agent development is happening today. The Go SDK and JavaScript SDK are on the roadmap. The Python SDK came first to reach the developers who need it now, and the interface it established will inform how the other implementations are designed.
The Langchain integration is in progress and the Zero-Knowledge MCP template is already live. As more integrations ship, the ecosystem built on the SDK becomes the practical demonstration of the infrastructure argument: that a developer who builds on AgentSecrets gives their users the zero-knowledge guarantee without requiring those users to know AgentSecrets exists.
AgentSecrets is open source and MIT licensed. The full architecture is at agentsecrets.theseventeen.co. The repository is at github.com/The-17/agentsecrets.