Claude's Managed Agents have several security challenges when operating in multi-user environments. An interface project is needed to address them.
The Managed Agents Credential Vault cannot hold multiple credentials for the same service within a single vault. For example, there is no way to store Notion MCP auth credentials for multiple users in one vault and distinguish between them.
This constraint means each vault must map to exactly one user. If this mapping is ambiguous, a Confused Deputy Problem arises: one user's agent could end up operating on an external service using another user's permissions.
When users register their Slack or Notion access tokens, they also need a mechanism to run OAuth flows without relying on the Claude platform directly. This avoids unintended edits to agents or misuse of vaults on the Claude platform, and reduces user management overhead. Specifically, the interface needs to support the following flow:
- Under the assumption that multiple users share the system, retrieve the authenticated user's identity upon login.
- Provide a button-driven way to initiate OAuth for Notion, Slack, and similar integrations.
- Automatically store the acquired refresh tokens and access tokens in the Credential Vault that corresponds to that user.
- At session start, identify the active user and bind their corresponding vault so that only their own permissions are in effect.
When creating a Managed Agent, you can freely select from various MCP servers. The tools exposed by these MCP servers should be governed by an allow list. Currently, write permissions are granted automatically.
For agents that require careful handling, whether writes are allowed directly affects risk. The interface needs to present users with a write on/off control at agent creation time, alongside an allow list management workflow for MCP servers.
When creating a session to run an agent, knowing which user is operating is essential. The interface must provide a reliable identification mechanism so that the correct vault is bound to the session.
Given these challenges, this project builds an interface that achieves three things:
- Per-user automatic management of Credential Vaults (creating a vault per user, auto-storing OAuth tokens).
- MCP server allow list management for agents, including per-tool permission controls (write on/off).
- Reliable user identification at session creation (identifying the operator and binding the corresponding vault).
cmd/service-connection/: Service Connection servicecmd/setup-session/: Initial setup for Managed Agent sessionscmd/skill-sync/: Syncs locally stored skill files to the Claude Platform
- Security of Claude Managed Agents (Blog Post) - Detailed security analysis of Claude Managed Agents architecture and how this project addresses the Confused Deputy Problem
- Authenticate with vaults - Claude Platform Docs