AI agents increasingly are completing real tasks in the browser, acting on behalf of employees, and connecting to the same systems humans rely on to get work done. This introduces a new security problem: AI agents require credentials – passwords, API keys, and one-time codes – to operate. As agents proliferate, the risk surface increases and it brings a variety of identity and access management challenges:
- No single source of truth for secrets management across agentic AI and employees
- Difficulty of revoking credentials/items, especially long-lived ones
- Proliferation of untracked/out-of-date credential grants
Agentic browsers, such as headless agentic browsers or those being driven by AI models without direct human supervision, raise the stakes even higher. As AI agents execute workflows, they get paused while agentic browsers wait for humans to input credentials. In an effort to avoid agents stopping mid-workflow, users often provide credentials directly into a browser-use AI app, which increases credential sprawl. As a result of submitting credentials to the agentic browser, users may expose those credentials to the agent and the underlying LLM, thus increasing the chances of leakage.
Instead of reducing friction, taking these shortcuts can undo years of progress in credential security. They scatter sensitive secrets across agents, prompts, and logs, and create blind spots that traditional IAM and PAM tools were never designed to handle.
The 1Password approach to solving secure access for AI agents using a browser
As we set out to securely enable agents to complete workflows, we knew upfront that we would not compromise on our security principles for AI to solve the problem. Namely:
- Secrets stay secret
- Raw credentials should never enter the LLM context
- Transparency on what AI can see and what it can’t
- Least privilege and minimum exposure by default
The core challenge was developing a solution for agents that need credentials as part of their workflow, yet not allowing that agent to have access to or visibility into the credentials being used. Overlaying that challenge is identifying the role of human-in-the-loop, which is critical to ensuring that all credential use is reviewed and approved for use by a human.
Introducing Secure Agentic Autofill
Secure Agentic Autofill injects credentials via the 1Password Browser Extension into a browser on behalf of an AI agent only when required and always authorized by a person.
Here’s how it works:
Secrets stay secret & raw credentials never enter the LLM context
Secure Agentic Autofill delegates credential storage to 1Password. And to authenticate to websites, 1Password will fill those credentials for you, keeping it separate from the rest of the agentic workflow. As a result, the AI agent and underlying LLM never need to see nor handle the credentials being used to complete the workflow.
To accomplish this, 1Password developed a new protocol to securely request and deliver credentials directly into the browser context. This protocol, built on top of the securely-regarded Noise Framework, creates an end-to-end encrypted channel between the approving 1Password device and remote instance of 1Password’s extension in the browser. With this, the number of contexts that can see your credentials is minimized and your data is secured against a variety of long and short-term real-world risks.
When this happens, the agent informs 1Password that a credential is being requested. At that point, 1Password identifies the appropriate credentials, requests approval from the user via a human-in-the-loop workflow, and injects the credentials directly into the browser if, and only if, the human approves the access. In the case that multiple credentials for a specific site or app are present (e.g., two Amazon accounts), the user receives a prompt to determine which one should be used.
This approach removes the need for a human to include credentials as part of a prompt for a browser-use agent. To put this workflow into practice, we’ve partnered with Browserbase to build a UI for a browser automation workflow.
Show what AI can and can’t see
When setting up Secure Agentic Autofill, 1Password delivers a prompt that clearly details what the agentic browser will be able to request from 1Password on your behalf. For example, with Secure Agentic Autofill, Browserbase is unable to access, see, or modify anything in a 1Password Vault without your approval. Furthermore, any request made for credentials must be approved by a human by default.
Secure Agentic Autofill for AI agents using a browser
Secure Agentic Autofill makes 1Password the secure source of truth for AI agents. Instead of scattering secrets across files, repos, or tokens, organizations can rely on 1Password to deliver credentials for AI agents executing workflows in a browser.
Core capabilities include:
- Just-in-time credential delivery to the browser from the 1Password Browser Extension ensures that credentials are received over an end-to-end encrypted channel only at runtime.
- Human-in-the-loop authentication provides real-time approval prompts before an agent signs in.
- Least privilege limits agent access to only the credentials required for a specific workflow.
Browserbase: The first integration for Secure Agentic Autofill
The first implementation of Secure Agentic Autofill is available through Browserbase, a platform for building and running browser-based AI agents.
With this integration, organizations can:
- Use 1Password as the single source of truth for AI agents that need credentials.
- Securely provide agents with access to login credentials and passwords only when required.
- Eliminate the need for hardcoding secrets.
- Approve or deny requests for browser-use agents in real time.
For teams experimenting with AI-driven browser automation, this integration strikes a balance between productivity and security. By consolidating credential management in 1Password, enterprises reduce complexity while closing down pathways that attackers exploit.
Secure Agentic Autofill is available today in Early Access via an integration with Browserbase.
Get Early Access
Secure Agentic Autofill is available in early access on October 8, 2025, for 1Password customers using Browserbase.
1Password customers can get started at director.ai. Additional information can be found in the Browserbase documentation and 1Password documentation.
Nancy Wang
SVP, Engineering
