2026-01-10 · 3 min read

Keep Your Keys Out of the Robot

Why AI agents should never hold private keys. The Identity Sidecar pattern keeps secrets secure while agents sign requests.

The Pain Point

To sign things, an AI needs a private key. If you hardcode that key into the AI's code, and the AI has a bug (or gets hacked), your key is gone. It's like gluing your house key to your hand.

The Solution: The Identity Sidecar

We put the "Identity" in a separate, secure box (a "Sidecar") that sits next to the AI.

The AI wants to sign something? It passes a note to the Sidecar: "Please sign this."
The Sidecar checks the rules ("Is this safe?"), signs it, and hands it back.

The AI never touches the private key.

Why It Matters

Security: Even if the AI agent is totally compromised, the attacker can't steal the key.
Compliance: You can rotate keys in the Sidecar without restarting or rewriting the AI.

Key Takeaway: Separate "Church" (Identity/Security) from "State" (Business Logic).

---

← Previous

Ambient Verification: Trust at a Glance

When AI Agents Hire AI Agents