Architecting Secretless AI Agents: Akeyless in Action

Frequently Asked Questions

Secretless AI Agents & MCP Server Integration

What are Secretless AI Agents and how do they work with Akeyless?

Secretless AI Agents are a new architecture pattern where no secrets are ever stored at runtime. Instead, the agent authenticates using a trusted identity (such as AWS IAM or GitHub JWT) and dynamically retrieves secrets from Akeyless when needed. This approach eliminates hardcoded secrets, reduces risk, and aligns with zero-trust security principles. Learn more.

How does an MCP server securely retrieve secrets from Akeyless?

An MCP server can securely retrieve secrets, such as a Gemini API key, from Akeyless at runtime using the Akeyless CLI. The server authenticates via a trusted identity (AWS IAM or GitHub JWT), requests the secret from Akeyless, and uses it for AI-powered responses—never storing secrets in code or configuration files.

What are the risks of hardcoding secrets in AI-native applications?

Hardcoding secrets in AI-native applications introduces risks such as credential leakage, static tokens that never expire, lack of visibility into secret usage, and manual secret rotation that is often neglected. Secretless AI Agents mitigate these risks by securely fetching secrets from Akeyless at runtime and granting access only to verified workloads.

How does Akeyless enable secretless authentication for AI agents?

Akeyless enables secretless authentication for AI agents by acting as a control plane for issuing secrets on demand, scoped by identity and policy. Agents authenticate using cloud-native identities (e.g., AWS IAM, GitHub JWT) and retrieve secrets Just-in-Time, ensuring no sensitive values are stored in code or pipelines.

What authentication methods does Akeyless support for secretless workflows?

Akeyless supports authentication via GitHub JWT (OIDC) and AWS IAM. Both methods allow agents to authenticate without access keys or secrets, log every request for auditing, and keep secrets entirely out of repositories. See documentation.

How do you set up GitHub OIDC authentication with Akeyless?

To set up GitHub OIDC authentication, add a GitHub OIDC identity provider in the Akeyless Console, create a role for GitHub OIDC, and configure your GitHub Actions workflow to request an identity token and authenticate with Akeyless using the JWT. See step-by-step guide.

How do you set up AWS IAM authentication with Akeyless?

To set up AWS IAM authentication, add an AWS IAM identity provider in the Akeyless Console, create an IAM role in AWS with a trust policy from Akeyless, create a corresponding role in Akeyless, and authenticate from your AWS workload using the Akeyless CLI. See step-by-step guide.

How does the Akeyless CLI facilitate secretless authentication?

The Akeyless CLI allows workloads to authenticate using short-lived tokens (from OIDC or IAM) and retrieve secrets Just-in-Time. Tokens are stored securely and referenced from CLI profiles, ensuring no long-lived secrets are exposed in code or environment variables.

What is the outcome of using secretless authentication in an MCP server?

Using secretless authentication in an MCP server enables secure, scalable AI agents that access sensitive services (like Gemini API) without ever embedding secrets in code, configuration files, or environment variables. This minimizes exposure, simplifies credential management, and aligns with zero-trust best practices.

How do you test an authenticated Akeyless MCP server?

To test an authenticated Akeyless MCP server, install Node.js (v18+), install required dependencies, and run the server code using the Akeyless CLI for authentication. Successful setup allows querying Gemini securely via the MCP UI, with secrets retrieved Just-in-Time from Akeyless.

What are the benefits of secretless architecture for AI workflows?

Secretless architecture for AI workflows eliminates hardcoded secrets, reduces risk of credential leakage, simplifies credential management, and enables secure, scalable deployments. It also provides auditability and aligns with zero-trust security principles.

How does Akeyless support secure AI agent deployments in cloud environments?

Akeyless supports secure AI agent deployments in cloud environments by providing cloud-native identity-based authentication (AWS IAM, GitHub JWT), centralized secrets management, and Just-in-Time secret delivery. This ensures secrets are never exposed or stored in code, supporting secure, scalable AI workflows.

What is the Model Context Protocol (MCP) and how does it integrate with Akeyless?

The Model Context Protocol (MCP) is a server framework for natural-language interfaces powered by AI models like Gemini. MCP servers can integrate with Akeyless to securely retrieve API keys and other secrets at runtime, enabling secretless, secure AI-powered responses.

How does Akeyless help with credential rotation and auditability in AI workflows?

Akeyless automates credential rotation and provides detailed audit logs for all secret usage. This ensures secrets are always up-to-date, reduces manual errors, and provides visibility into when and how secrets are accessed in AI workflows.

Can Akeyless be used with other cloud-native identity providers?

Yes, Akeyless supports integration with various cloud-native identity providers, including AWS IAM, GitHub OIDC, and others, enabling secure, secretless authentication for a wide range of workloads and environments. See integrations.

What is the difference between secretless and traditional secrets management?

Traditional secrets management often relies on storing secrets in configuration files or environment variables, which can lead to credential leakage and manual rotation challenges. Secretless management with Akeyless retrieves secrets Just-in-Time based on identity, never storing them at runtime, and automates rotation and auditability.

How does Akeyless support secure integration with AI models like Gemini?

Akeyless enables secure integration with AI models like Gemini by providing Just-in-Time retrieval of API keys and secrets, authenticated via cloud-native identities. This ensures that sensitive credentials are never hardcoded or exposed, supporting secure, scalable AI deployments.

What steps are required to implement secretless authentication in an AI workflow?

To implement secretless authentication in an AI workflow, set up an identity provider in Akeyless (e.g., AWS IAM or GitHub OIDC), create roles and policies, configure your workload to authenticate via the chosen method, and use the Akeyless CLI or API to retrieve secrets Just-in-Time.

How does Akeyless help organizations comply with zero-trust security principles?

Akeyless helps organizations comply with zero-trust security principles by eliminating hardcoded secrets, enforcing identity-based access, automating credential rotation, and providing detailed audit logs for all secret usage. This minimizes standing privileges and unauthorized access risks.

What are the main pain points solved by Akeyless in AI-native infrastructure?

Akeyless solves pain points such as the Secret Zero Problem, legacy secrets management inefficiencies, secrets sprawl, standing privileges, high operational costs, and integration challenges. It centralizes secrets management, automates rotation, and supports seamless integration with DevOps and AI workflows.

How does Akeyless ensure secrets are never exposed in code or configuration files?

Akeyless ensures secrets are never exposed in code or configuration files by enabling Just-in-Time retrieval based on identity authentication. Secrets are fetched only when needed and are never stored at runtime, reducing the risk of credential leakage.

What is the role of short-lived tokens in Akeyless secretless workflows?

Short-lived tokens in Akeyless secretless workflows provide secure, ephemeral authentication for workloads. They are generated via OIDC or IAM and used to retrieve secrets Just-in-Time, minimizing exposure and supporting zero-trust security.

How does Akeyless support auditability and compliance in AI agent deployments?

Akeyless supports auditability and compliance by logging every request, providing detailed audit trails, and adhering to international standards like ISO 27001, SOC 2 Type II, and PCI DSS. This ensures transparency and accountability in AI agent deployments. See Trust Center.

Features & Capabilities

What are the key features of Akeyless for secrets management?

Akeyless offers vaultless architecture, Universal Identity, Zero Trust Access, automated credential rotation, out-of-the-box integrations, and a cloud-native SaaS platform. These features centralize secrets management, enhance security, and streamline operations. Learn more.

Does Akeyless support dynamic and rotated secrets?

Yes, Akeyless supports dynamic secrets (e.g., Redis JIT Access, Redshift JIT Access, Snowflake JIT Access, SAP HANA JIT Access) and rotated secrets (e.g., Redis, Redshift, Snowflake, SSH). This ensures secrets are always up-to-date and reduces manual management. See integrations.

What integrations does Akeyless offer?

Akeyless offers integrations with Terraform, Steampipe, Splunk, Sumo Logic, Syslog, Venafi, Sectigo, ZeroSSL, ServiceNow, Slack, Ruby, Python, Node.js SDKs, OpenShift, Rancher, and more. Full list of integrations.

Does Akeyless provide an API for secrets management?

Yes, Akeyless provides a comprehensive API for its platform, including documentation for the Secrets Store and support for API Keys for authentication. API documentation.

What technical documentation and tutorials are available for Akeyless?

Akeyless provides detailed technical documentation and step-by-step tutorials to assist with implementation and usage. Resources are available at Technical Documentation and Tutorials.

How does Akeyless automate credential rotation?

Akeyless automates credential rotation for secrets and certificates, ensuring credentials are always current and reducing manual errors. This enhances security and operational efficiency for organizations.

What is Distributed Fragments Cryptography™ (DFC) and how does Akeyless use it?

Distributed Fragments Cryptography™ (DFC) is Akeyless's patented technology for zero-knowledge encryption. It ensures that no third party, including Akeyless, can access your secrets, providing robust data privacy and security. Learn more.

What compliance certifications does Akeyless hold?

Akeyless holds SOC 2 Type II, ISO 27001, FIPS 140-2, PCI DSS, CSA STAR Registry, and DORA compliance certifications, demonstrating its commitment to security and regulatory standards. See Trust Center.

How does Akeyless support data privacy?

Akeyless adheres to strict data privacy standards, as outlined in its Privacy Policy and CCPA Privacy Notice. It uses zero-knowledge encryption and provides detailed audit logs for all secret usage. Privacy Policy.

Use Cases & Benefits

Who can benefit from using Akeyless?

Akeyless benefits IT security professionals, DevOps engineers, compliance officers, platform engineers, and organizations across industries such as technology, marketing, manufacturing, finance, healthcare, retail, and software development. See case studies.

What business impact can customers expect from Akeyless?

Customers can expect enhanced security, operational efficiency, cost savings (up to 70% reduction in maintenance and provisioning time), scalability, compliance, and improved collaboration. Real-world case studies demonstrate these benefits. Progress case study.

How easy is it to implement Akeyless?

Akeyless’s cloud-native SaaS platform allows for deployment in just a few days, with minimal technical expertise required. Comprehensive onboarding resources, demos, product tours, tutorials, and 24/7 support ensure a smooth implementation. Platform Demo.

What feedback have customers given about Akeyless’s ease of use?

Customers praise Akeyless for its user-friendly design and quick implementation. Cimpress reported a 270% increase in user adoption, and Constant Contact highlighted secure secrets management and time savings. Cimpress case study.

What industries are represented in Akeyless case studies?

Industries represented include technology (Wix, Dropbox), marketing (Constant Contact), manufacturing (Cimpress), software development (Progress Chef), banking and finance (Hamburg Commercial Bank), healthcare (K Health), and retail (TVH). See case studies.

Can you share specific customer success stories using Akeyless?

Yes. Wix enhanced security and operational efficiency with centralized secrets management. Constant Contact eliminated hardcoded secrets and reduced breach risks. Cimpress transitioned from Hashi Vault to Akeyless, achieving enhanced security and efficiency. Progress saved 70% of maintenance time. See all case studies.

Competition & Comparison

How does Akeyless compare to HashiCorp Vault?

Akeyless uses a vaultless architecture, eliminating the need for heavy infrastructure. Its cloud-native SaaS platform reduces operational complexity and costs, offers Universal Identity, and automates credential rotation. Deployment is faster, with up to 70% cost savings. Akeyless vs HashiCorp Vault.

How does Akeyless compare to AWS Secrets Manager?

Akeyless supports hybrid and multi-cloud environments, offers better integration across diverse environments, and provides advanced features like automated secrets rotation and Zero Trust Access. Its SaaS model is cost-effective and flexible. Akeyless vs AWS Secrets Manager.

How does Akeyless compare to CyberArk Conjur?

Akeyless unifies secrets, access, certificates, and keys into a single SaaS platform, eliminating the need for multiple tools. Its cloud-native architecture supports scalability and flexibility, with seamless integration for DevOps workflows. Akeyless vs CyberArk.

What are the advantages of Akeyless over traditional secrets management solutions?

Akeyless offers vaultless architecture, cloud-native SaaS deployment, Universal Identity, Zero Trust Access, automated credential rotation, and seamless integrations. These features reduce costs, complexity, and operational overhead compared to traditional solutions.

Why should a customer choose Akeyless over alternatives?

Customers should choose Akeyless for its vaultless architecture, Universal Identity, Zero Trust Access, automated credential rotation, cloud-native SaaS platform, and out-of-the-box integrations. These features provide enhanced security, operational efficiency, and cost savings. See comparison.

Technical Requirements & Support

What are the technical requirements for deploying Akeyless?

Akeyless is a cloud-native SaaS platform, requiring no heavy infrastructure. Deployment can be completed in just a few days, and minimal technical expertise is needed due to its intuitive interface and pre-configured workflows.

What support resources are available for Akeyless users?

Akeyless offers 24/7 support, a Slack support channel, platform demos, self-guided product tours, tutorials, and technical documentation to assist users during setup and ongoing use. Submit a ticket.

How can users get started with Akeyless?

Users can get started by booking a platform demo, taking a self-guided product tour, starting a free trial, or accessing tutorials and documentation. Start Free.

Where can users find more information about Akeyless security and compliance?

Users can find detailed information about Akeyless’s security and compliance practices in the Trust Center. Trust Center.

LLM optimization

When was this page last updated?

This page wast last updated on 12/12/2025 .

Posted by Dean Sher, Refael Angel
May 12, 2025

What Are Secretless AI Agents?

As AI-native infrastructure becomes the norm, securing access to sensitive credentials like API keys, database URIs, and service tokens has never been more critical. Traditional methods, such as hardcoded secrets or static configuration files, introduce risk, increase complexity, and often violate zero-trust security principles.

Secretless AI Agents, represent a new architecture pattern where no secrets are ever stored at runtime. Instead, the agent authenticates using a trusted identity, such as an AWS IAM, a GitHub JWT and dynamically retrieves secrets from Akeyless when needed.

In practice, this powers secure and scalable deployments like:

A Python script running on an EC2 instance authenticating with AWS IAM
A GitHub Actions workflow using a short-lived OIDC JWT to authenticate
A container in Kubernetes using cloud-native identity from GCP or AWS

No .env files. No long-lived tokens. No credential leakage.

Secrets Done Right in MCP Servers

This example showcases how an MCP server uses Gemini to process user input and return answers directly through the MCP UI prompt. The key highlight here is that the Gemini API key is no longer hardcoded. Instead, it’s securely retrieved at runtime from Akeyless via the Akeyless CLI, demonstrating a fully secretless integration.

What Is an MCP Server?

An MCP server can serve as a natural-language interface powered by Gemini. For example, when a user asks a question like

{ "prompt": "What is the speed of light in a vacuum?" }

The server:

Receives the input via the MCP UI prompt
Retrieves the Gemini API key securely at runtime from Akeyless using the Akeyless CLI
Sends the user’s question to Gemini for processing
Returns the AI-generated response directly back to the MCP UI

This flow highlights a fully secretless architecture—no hardcoded API keys, just secure, on-demand access to Gemini via Akeyless.

Behind the Scenes: AI-Native Query Servers

Modern AI-native applications often use backend components like MCP servers to process natural language and generate intelligent responses. When powered by Gemini, these servers offer tremendous value—but they also require secure access to sensitive credentials, such as the Gemini API key.

In early prototypes, it’s common to see security risks like:

Hardcoded API keys in code
Static tokens that don’t expire
No visibility into secret usage
Manual secret rotation that’s often neglected

Secretless AI Agents solve these challenges by securely fetching the Gemini API key from Akeyless at runtime—never storing it in code or config. Access is granted only to verified workloads using cloud-native identity, ensuring a secure and production-ready setup.

Now that we’ve explored the architecture, risks, and key components of LLM-powered systems, let’s see the Secretless AI Agent concept in action.

We’ll walk through a simple implementation of an MCP server that accepts a natural language question from the user (like “What is Zero Trust?”), securely retrieves the Gemini API key from Akeyless at runtime, sends the question to Gemini, and displays the response in the MCP UI—all without ever hardcoding or storing any secrets.

The Wrong Way: Hardcoding Secrets in Your MCP Server

Here’s a real-world example of a lightweight MCP-like server that takes user questions and uses Gemini to generate AI-powered responses. In this early prototype, the Gemini API key is hardcoded directly in the code a common security flaw that Secretless AI Agents are designed to eliminate.

So that the architecture looks like this:

Secrets Done Wrong - MCP Server Architecture

Here are some of the most common issues we’ve seen in this setup:

Hardcoded credentials: API keys or connection strings embedded directly in the code or environment.
Static, long-lived secrets: Tokens that never expire and remain active even after deployment or team changes.
Lack of granular access control: No restrictions on which part of the app can access which secrets.
No visibility or auditing: It’s unclear when or how a secret was used or by whom.

The Right Way: Secretless AI

This is why Secretless AI Agents are so important. They provide a way to eliminate the need to store any sensitive values in code or pipelines. Using this method, Akeyless becomes the control plane for issuing secrets on demand, scoped by identity and policy.

We don’t expose any secret at the MCP level. Instead, we’ll use AWS IAM or GitHub JWT for authentication.

Choosing GitHub JWT or AWS IAM for Secretless Auth

Whether to choose AWS IAM or GitHub JWT depends on what you are using. Both approaches allow you to:

Log every request and audit access
Keep secrets entirely out of repos
Avoid credential rotation headaches

GitHub JWT Auth

For GitHub use cases, you will (of course) want to use GitHub JWT. In GitHub Actions, every job can request an identity token from GitHub. This JWT can be passed to Akeyless to authenticate without access keys or secrets.

AWS IAM Auth

The AWS IAM auth is ideal for workloads running on:

EC2, ECS, Lambda
SSM-authenticated instances
Anywhere with a valid IAM role

In this case, your instance signs a request using its role and passes it to Akeyless. Akeyless validates the identity, and in return, issues a short-lived session token.

We’ll now go through each auth method step-by-step.

Method 1: Authenticate to Akeyless using GitHub OIDC (JWT)

1. Set up GitHub OIDC Identity in Akeyless

Go to Akeyless Console.
Navigate to Identities → Identity Providers → Add Provider.
Choose OIDC as the identity type.
Fill in:
1. Name: github-oidc
1. Issuer: https://token.actions.githubusercontent.com
1. Audience: (You can set this to your Akeyless Access ID, e.g., p-xxxxx)
1. Claims Mapping: Leave default or configure to map claims like repository, actor, etc.

2. Create an Akeyless Role for GitHub OIDC

Go to Access Management → Roles → Create Role.
Set:

Name: github-role
Auth Method: Select your newly created github-oidc identity.
Define which secrets this role can access.

3. Configure GitHub Action to Use OIDC Token

jobs:

  build:

    runs-on: ubuntu-latest

    permissions:

      id-token: write

      contents: read

    steps:

      - name: Authenticate with Akeyless

        run: |

          export JWT_TOKEN=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | jq -r .value)

          curl -s https://api.akeyless.io/auth \

            -X POST \

            -H "Content-Type: application/json" \

            -d "{\"access-type\":\"oidc\",\"jwt\":\"$JWT_TOKEN\",\"role\":\"github-role\"}"

Now you have all you need to be authenticated to Akeyless in a seamless, secretless workflow.

Method 2: Authenticate to Akeyless using AWS IAM

1. Create an AWS IAM Identity in Akeyless

Go to Identities → Identity Providers → Add Provider.
Choose AWS IAM as the provider type.
Akeyless will generate an IAM trust policy. Copy this.

2. Create an IAM Role in AWS

Go to AWS IAM → Create role.
Select Web Identity → Provider: Akeyless.
Paste the trust policy provided by Akeyless.
Give it permissions (e.g., S3 access, or none if it’s just for Akeyless).
Save the Role ARN.

3. Create an Akeyless Role for IAM

Go back to Akeyless Console → Roles → Create Role.
Set:
- Auth Method: Select the AWS IAM provider you added.
- Bound Role ARN: Paste the AWS Role ARN you created.
- Assign permitted secrets or actions.

4. Authenticate from AWS EC2 / Lambda / CLI

Use the Akeyless CLI:

akeyless auth --access-type aws_iam

This uses the EC2/Lambda metadata token from your instance to authenticate securely.

Outcome Example: Secretless Authentication in an MCP Server with Akeyless

This Node.js code demonstrates how to securely retrieve a Gemini API key at runtime using the Akeyless CLI token, without exposing any long-lived secrets in your source code. It leverages Akeyless’s native support for short-lived authentication via OIDC or IAM, and integrates with an MCP server to enable secure prompt handling and LLM access.

import { config } from "dotenv";
config();
import fs from "fs";
import path from "path";
import toml from "toml";
import fetch from "node-fetch";
import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
import { z } from "zod";
// Akeyless settings
const AKEYLESS_API = "https://api.akeyless.io";
const secretPath = process.env.AKEYLESS_GEMINI_SECRET_PATH; // Set in .env file
let GEMINI_API_KEY = "";
/**
 * Load the latest active token from Akeyless CLI profiles.
 * The token is stored in ~/.akeyless/.tmp_creds and referenced from ~/.akeyless/profiles
 */
function loadTokenFromCli() {
  const profilesDir = path.join(process.env.HOME, ".akeyless/profiles");
  const files = fs.readdirSync(profilesDir).filter(f => f.startsWith("t-") && f.endsWith(".toml"));
  if (files.length === 0) {
    throw new Error("❌ No Akeyless CLI profile files found.");
  }
  for (const file of files) {
    const fullPath = path.join(profilesDir, file);
    const profileData = fs.readFileSync(fullPath, "utf-8");
    const parsed = toml.parse(profileData);
    const sectionEntries = Object.entries(parsed);
    for (const [sectionName, section] of sectionEntries) {
      if (section.creds_file_path && fs.existsSync(section.creds_file_path)) {
        const token = fs.readFileSync(section.creds_file_path, "utf-8").trim();
        console.log("🔐 Using token from:", file);
        return token;
      }
    }
  }
  throw new Error("❌ No valid token found in any profile.");
}
/**
 * Fetch a Gemini API key from Akeyless using the CLI-authenticated token.
 */
async function fetchGeminiApiKey() {
  const token = loadTokenFromCli();
  const res = await fetch(`${AKEYLESS_API}/get-secret-value`, {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ names: [secretPath], token }),
  });
  const json = await res.json();
  if (!res.ok || !json[secretPath]) {
    throw new Error(json.error || "❌ Failed to retrieve secret from Akeyless");
  }
  return json[secretPath];
}
// 🌟 Initialize the Gemini key at runtime
try {
  GEMINI_API_KEY = await fetchGeminiApiKey();
} catch (err) {
  process.stderr.write(JSON.stringify({ type: "error", error: err.message }) + "\n");
  process.exit(1);
}
// 🚀 Start MCP server
const server = new McpServer({
  name: "mcp-gemini-chat-secure",
  version: "1.0.0",
});
// Simple test tool
server.tool("sayHello", {}, async () => ({
  content: [{ type: "text", text: "👋 Hello from Gemini MCP (secured with Akeyless CLI auth)!" }],
}));
// Gemini integration tool
server.tool(
  "askGemini",
  {
    input: z.object({ prompt: z.string() }),
  },
  async ({ input }) => {
    try {
      const response = await fetch(
        `https://generativelanguage.googleapis.com/v1beta/models/gemini-1.5-pro-latest:generateContent?key=${GEMINI_API_KEY}`,
        {
          method: "POST",
          headers: { "Content-Type": "application/json" },
          body: JSON.stringify({
            contents: [{ role: "user", parts: [{ text: input.prompt }] }],
          }),
        }
      );
      const data = await response.json();
      const text = data?.candidates?.[0]?.content?.parts?.[0]?.text || "No response from Gemini.";
      return { content: [{ type: "text", text }] };
    } catch (error) {
      return {
        content: [{ type: "text", text: `❌ Gemini error: ${error.message || error}` }],
      };
    }
  }
);
// 🔌 Connect the MCP transport layer
const transport = new StdioServerTransport();
await server.connect(transport);

This simple example of MCP server secretless authentication to Akeyless to retrieve Gemini keys shows how secretless authentication integrates with AI workflows.

Testing the Authenticated Akeyless MCP Server

To test this entire example, all we need is a few simple steps.

1. Install Node.js (v18+)
Make sure Node.js is installed. You can check with:

node -v

2. Install dependencies

Run the following in the project folder:

npm install dotenv toml node-fetch zod @modelcontextprotocol/sdk

3. Run this code:

npx @modelcontextprotocol/inspector node index.js

Outcome:

If your MCP server is running correctly, this is what you should see:

Outcome Example: Using MCP to Query Gemini

As an example, now you can query Gemini directly from the MCP UI:

You can ask this question directly:

{ "prompt": "What is the speed of light in a vacuum?" }

The result will use our script above to return an answer from Gemini.

What The Script Does Behind the Scenes

The script now builds a Model Context Protocol (MCP) server that:

Loads a Gemini API key from Akeyless, using a token stored by the Akeyless CLI.
Uses that key to send secure, authenticated requests to the Gemini 1.5 Pro API.
Exposes tools (sayHello and askGemini) as callable AI tools through the MCP SDK.

This enables modern secretless AI Agents that are designed with security, scalability, and developer simplicity in mind.

The resulting architecture looks like this:

Secrets Done Right - MCP Server Architecture

This illustrates that the credentials are no longer in the MCP server and instead are stored in Akeyless. All access is secretless.

Result: Secure, Scalable AI Agents

This walkthrough demonstrates how you can build secure, scalable AI agents that access sensitive services—like the Gemini API—without ever embedding secrets in code, configuration files, or environment variables. By integrating Akeyless with an MCP (Multi-Channel Proxy) server, we’ve enabled a dynamic, agent-based architecture where secrets are pulled Just-in-Time from a centralized repository using short-lived authentication via the CLI. This design minimizes exposure, simplifies credentials management, and aligns with best practices for ephemeral, zero-trust secret delivery.

In short:

No secrets hardcoded: The Gemini API key is never committed in code or .env.
No token in env vars: Instead of using AKEYLESS_ACCESS_KEY, the script leverages an active CLI session (t-*.toml). Keys are retrieved as needed (Just-in-Time).
All keys managed with Akeyless, enabling seamless use of the MCP server.

As AI-driven automation becomes more prevalent, ensuring the integrity and security of the infrastructure behind it is critical. Akeyless provides a robust, cloud-native solution for securing secrets, keys, and certificates without trade-offs in usability or flexibility.

Ready to bring secretless automation to your AI workflows? Explore Akeyless and start building with confidence.

Table of Contents