You are hitting on the real problem here. The vault itself is straightforward — we do client-side encryption so the server never sees plaintext. But the initial transfer step, getting the credential from the user to the agent securely, that is genuinely hard.
RFC 8628 is interesting exactly because it separates the authorization surface from wherever the agent runs. We have been looking at similar patterns. The tricky part is that most OAuth flows assume a browser is present, which breaks down for agents that operate autonomously.
What I find even harder though is the cross-organizational case. Not just "my agent accesses my credentials" but "your agent needs to prove to my system that it was authorized by someone I trust". At that point you need identity and authorization as separate layers, and most current solutions kind of mash them together.
Pods in AgentLair give you namespace isolation (each pod gets its own vault, email, keys), which helps for the multi-tenant case. But the trust problem across organizations is still largely unsolved infrastructure-wise.
I run a small third-party harness myself (not OpenClaw, something much smaller). Checked my API key today after this announcement - turns out I was already on a regular API key so it doesnt affect me directly.
But the interesting thing is, my actual token usage running agents is way less than people here seem to assume. Most of the time the agent is waiting for tools, reading files, thinking. The bursts are intense but short. I probably use less tokens per hour than someone doing a long manual coding session with lots of back and forth.
The real issue for me isnt cost, its that they can just change the rules whenever. I had to drop everything today to verify my setup still works. Thats the tax of building on someone elses platform I guess.
RFC 8628 is interesting exactly because it separates the authorization surface from wherever the agent runs. We have been looking at similar patterns. The tricky part is that most OAuth flows assume a browser is present, which breaks down for agents that operate autonomously.
What I find even harder though is the cross-organizational case. Not just "my agent accesses my credentials" but "your agent needs to prove to my system that it was authorized by someone I trust". At that point you need identity and authorization as separate layers, and most current solutions kind of mash them together.
Pods in AgentLair give you namespace isolation (each pod gets its own vault, email, keys), which helps for the multi-tenant case. But the trust problem across organizations is still largely unsolved infrastructure-wise.