Reference architectures/SaaS

Credential controls for AI coding agents

Let coding agents clone, search, and ship while production writes require human approval and signing keys never transmit.

Claude CodeCursorGitHubSigV4Capability JWTmTLS
Claude Code
Cursor
GitHub Copilot
Identity · Okta · mTLS pinning
Developer identity
GatekeeperDeny by default
Commitment hashBOUND
SigV4 signing in enclaveSEALED
Approval step up on prodESCROW
Capability JWTSECONDS
GitHubAWS · SigV4npm registryCI pipelineDeveloper platform
Keys never transmit (SigV4)Prod writes require approvalExactly once execution

Dataflow

01

A coding agent authenticates with the developer’s identity through your IDP. Optional mTLS pins the agent to an enrolled client certificate.

02

Read calls (clone, search, fetch) pass policy silently and complete in milliseconds. Developers feel no friction on the safe path.

03

AWS calls are SigV4 signed inside the enclave. The signing key never transmits; only the computed signature leaves.

04

A write to a production repo or pipeline returns require approval. The call escrows, bound to its commitment hash.

05

The reviewer approves the exact parameters. A capability JWT is minted, scoped to that hash, valid for seconds.

06

The agent’s retry consumes the approval exactly once and the write executes. A modified payload produces a different hash and is rejected.

Components

Coding agents

Claude Code, Cursor, and Copilot connect over MCP with the developer’s identity, never with shared service accounts.

Gateway with mTLS

TLS 1.3 required; client certificates pinned to enrolled agent identities for high assurance teams.

SigV4 signer in enclave

AWS request signing happens inside the attested enclave. The genuine zero knowledge case: the key never leaves.

Approval escrow

Production writes wait on a human. Exactly once execution by atomic consume before execute stops double deploys.

Capability JWTs

ES256 tokens signed by KMS, verified offline across the fleet, bound to subject, tenant, and payload hash.

Security considerations

SigV4 signing is the genuine zero knowledge case: only the signature leaves the enclave, so even the downstream logs never see the key.

Approvals bind to the commitment hash of exact parameters. An agent cannot swap the target repo or branch after approval.

A memory dump of the agent yields short lived identity tokens, never long lived credentials or signing keys.

Exactly once execution stops a retry storm from double running a deploy or duplicating a release.

Deploy this architecture

Walk through the trust model, policy design, and rollout with our security and solutions team.

Learn moreAll architectures