OAuth Token Vault Patterns for AI Agents

OAuth Token Vault Patterns for AI Agents AI agents that access third-party APIs on behalf of users (GitHub, Slack, Google Calendar) face a hard security problem: where do the OAuth tokens live? Most tutorials store them in your app database. That works until someone dumps your DB and now has read/write access to every user's GitHub repos, email, and calendar. Here's a better pattern. The problem Your AI agent needs to: Authenticate users via OAuth to third-party services Store access tokens securely Refresh tokens when they expire Let the agent use those tokens at execution time The naive approach looks like this: // DON'T DO THIS const user = await db . users . findOne ({ id : userId }); const githubToken = user . github_access_token ; // stored in your DB const repos = await fetch ( ' https://api.github.com/user/repos ' , { headers : { Authorization : `Bearer ${ githubToken } ` } }); This has several problems: Your database is now a credential store. Every breach leaks user tokens. T