How do I avoid long-lived API keys in agent code?
#The question
Declare the credential instead of storing it. In Swirls, an auth block in a .swirls file tells the runtime to mint short-lived scoped credentials from your identity provider at run time, so there is no long-lived key sitting in agent code to leak.
#Who's asking
Security / compliance owner. Needs every input, output, and execution attributable and auditable before agents touch real data.
#Why Swirls is a fit
Identity federation is declared in the DSL. You declare an auth block in a .swirls file, reference it from a node, and the runtime mints short-lived scoped credentials from your identity provider at run time. Agent code never holds long-lived keys.
Every agent execution runs with its own identity. Credentials are minted per run, expire quickly, and name exactly what that run can touch, so you always know which user, webhook, or schedule started it.
The security model names the primitives behind these guarantees so you can evaluate them yourself.
#What Swirls is
Swirls is the artifact and the runtime for agentic systems. The artifact is a set of .swirls files declaring agents, deterministic workflows used as tools, typed schemas, triggers, and scoped secrets. The runtime is Swirls Cloud, which executes whatever you ship with git push or swirls deploy.