Domain binding
A leaked API key is dangerous because it works anywhere — against any host an attacker chooses. Domain binding removes that freedom. A credential in Veil Keys is bound to one specific upstream host, and the broker physically refuses to send it anywhere else. This is a hard security boundary, not a label or a convention.
The agent supplies a path, never a host
When an agent calls an API through the broker, it does not provide a full URL. It provides only a request path (and method, headers it’s allowed to set, and body). The host is fixed at the moment the credential was registered. There is no field through which the agent can substitute a different destination.
SSRF defenses: the destination is validated, not trusted
Pinning a hostname is not enough on its own — an attacker who could influence resolution might point a name at an internal address. Veil Keys validates the resolved destination and refuses anything that points inward:
- Private and loopback ranges —
127.0.0.0/8,10/8,172.16/12,192.168/16, link-local, and their IPv6 equivalents. - Cloud-metadata endpoints — the instance-metadata addresses used to steal cloud credentials.
- Obfuscated IPv4 forms — octal, hex, decimal, and short forms are all normalized and refused,
e.g.
0x7f.0.0.1,2130706433, and127.1are all recognized as loopback. - DNS rebinding — a hostname that resolves to a private or loopback address is refused, even if the name itself looks public. The check is on the address the request would actually reach.
OAuth token endpoints are locked the same way
OAuth flows introduce a second network destination — the token endpoint that exchanges or refreshes credentials. That endpoint is SSRF-locked identically: it must be a public, declared host, and the same obfuscation and rebinding defenses apply. Critically, the token-endpoint response is never returned to the agent. Refreshed access and refresh tokens are captured inside the broker and used for subsequent calls; the agent only ever sees the eventual upstream API response.
Reveal-equivalent protection: you can’t repoint a secret
Domain binding would be meaningless if anyone could quietly change where a secret is sent. So changing the destination of a filled secret is treated as a read, not a write:
The honest limit
Domain binding enforces what you declared, faithfully. It does not know your intent. Two caveats worth stating:
- Bind to the right host. If you register a secret against the wrong upstream, the broker will serve that upstream. Binding is a guardrail against redirection, not a check on your registration.
- Binding is per-host, path-open by default. A bound credential permits any path on its host unless you layer on finer policy. For high-value credentials, scope agent tokens to the specific tools and methods they need so a single binding isn’t a blank cheque for the whole API surface.
Summary
| Defense | Refuses |
|---|---|
| Host pinning | Any host other than the one the credential is bound to |
| Path-only agent input | Agent-supplied full URLs or alternate hosts |
| Private / loopback / metadata blocking | Internal and cloud-metadata destinations |
| IPv4 obfuscation normalization | Octal, hex, decimal, and short-form encodings of internal IPs |
| DNS-rebinding defense | Public names that resolve to private addresses |
| OAuth token-endpoint locking | SSRF on token URLs; returning token responses to the agent |
| Reveal-gated repointing | Redirecting a filled secret without reveal |