alt Hacker NewsThis is how keychains should be designed. Never return the secret, but mint a new token, or sign a request.
We need this also for normal usage like development environments. Or when invoking a command on a remote server.
Are you going to add support for services that don't support OIDC or this going to be a known limitation?
Yes, that’s the ideal model. For services with OAuth/OIDC/token exchange support, we want to mint short-lived delegated creds instead of returning the underlying secret. For services that don’t support that, we don’t want them to be unsupported entirely. But they’re a weaker security tier: you can still improve custody/rotation/auditability, just not get the full “agent never sees the real secret” property without a proxy/broker/signing layer.