1Password and OpenAI today revealed they have integrated a Model Context Protocol (MCP) server to the Codex artificial intelligence (AI) coding tool to better secure developer credentials.
As a result, Codex credentials can now be issued on a just-in-time basis to ensure secrets are not logged, cached, reused across sessions or surfaced in unexpected outputs. Instead of sharing .env files or hardcoding credential values, application developers access a shared environment where secrets are made available at runtime, without the values ever appearing in code, terminals, or model context.
1Password CTO Nancy Wang said, with that approach, in effect, developers can grant Codex access to credentials directly inside their coding workflows while keeping secrets outside of code. The MCP server does not read or return secret values through the MCP channel, surface secrets in the model’s context window, or write them to disk. Codex can create environments, list variable names, and invoke applications that use those secrets, but the values themselves never leave the 1Password vault.
As a result, DevSecOps teams can manage coding agents as a tenant rather than another vault where secrets might be stored. Secrets remain encrypted and centrally managed, with access limited to authorized users who have been granted customized permissions, said Wang. Under no circumstances is credential data ever exposed to an AI agent or large language model (LLM) as plain text, she added.
1Password is now making a case for managing the credentials granted to human developers and their AI agents via the same platform, said Wang. In time, 1Password will extend that reach to include multiple AI coding tools, she added.
The credential developers use to access application development environments have always been a rich target for cybercriminals who are trying to inject malware into a downstream application or IT environment. However, with the rise of AI agents that are capable of autonomously performing a wide range of tasks, the amount of havoc cybercriminals can potentially wreak using a stolen set of credentials is now substantially greater.
Naturally, it’s still early days so far as adoption of AI coding tools, but it’s now more a question of when rather than if they will be targeted. Cybersecurity syndicates have in recent years demonstrated a keen interest in software supply chains that, if compromised, can provide often unfettered access to IT environments that might not be discovered, if ever, for months.
Unfortunately, too many developers are still relying on traditional passwords to access tools and platforms, even though they can be easily stolen. More challenging still, many of those tools and platforms may not even be managed by cybersecurity teams that, through hard-won experience, have a greater appreciation for the need to protect credentials.
The hope is, of course, that application development and cybersecurity teams are now proactively working more collaboratively to secure software supply chains in the wake of a series of high-profile attacks. The degree to which those efforts will succeed will naturally vary from one organization to another. The one certain thing is that continuing to rely on traditional passwords to access DevOps tools and platforms is now little more than an open invitation to disaster.