2026-05-25 · 16 pages
Multi-tenant agent platforms have a credential problem that most teams underestimate until production. Every operator brings their own Gmail, Google Sheets, GoHighLevel, and Slack tokens. Those tokens have to be encrypted at rest, scoped to the right user, rotated automatically, and never exposed in logs or event streams. This paper documents how GO Pilot GO solves the problem and recommends the pattern as a baseline.
Layer 1: envelope encryption. Every credential is encrypted with a per-record data-encryption-key, which is itself encrypted with a per-workspace key-encryption-key, which is wrapped by a platform root key held in a managed KMS. Compromising any one layer is insufficient to read credentials.
Layer 2: per-user, per-integration scoping. Tokens are stored under (workspace_id, user_id, integration_id). Agents inherit the user's credentials at invocation time; an agent built by user A cannot accidentally use user B's Gmail. Row-level security enforces this in the database, not just in application code.
Layer 3: short-lived access tokens with refresh rotation. OAuth providers that support refresh rotation get it. The refresh token is replaced on every access-token mint, and the previous refresh token is invalidated after a 60-second overlap to handle clock drift.
Layer 4: in-runtime decryption inside isolated workers. Plaintext credentials live only inside the worker that's executing the current tool call. They never enter the agent's main context window, never enter logs, and never enter the event stream surfaced to the operator's UI.
Layer 5: instant revocation. When a user revokes an integration in settings, the row is hard-deleted and the integration is marked revoked at the workspace cache layer. Any agent run that loads after revocation cannot use the integration; runs in flight are aborted at their next tool-call boundary.
Operational concerns: key rotation cadence (90 days for KEK, opportunistically for DEK on access); secret-scanning in CI to prevent accidental token logs; encrypted backups with separate keys; documented procedures for legal-process credential requests.
This is not novel architecture. It is a list of practices most agent platforms skip because the work is invisible to operators until something goes wrong. We argue that "invisible until wrong" is exactly why this should be table-stakes documented architecture rather than tribal knowledge.
The paper includes a reference schema, an evaluation rubric for assessing other agent platforms' credential handling, and a discussion of where MCP-based authorization delegation could simplify parts of this stack in the next 12 months.