Egress and identity: two products, one pattern
Claude Managed Agents on Cloudflare and Claude Tag arrive at the same design independently: the sandbox never holds a credential, and a boundary proxy attaches one only when a request matches a rule.
Side by side
| Claude Managed Agents (Cloudflare) | Claude Tag (Slack) | |
|---|---|---|
| Where the agent runs | A MicroVM or Isolate sandbox, per session | An ephemeral sandbox, per Slack thread |
| Where credentials live | KV (SECRETS, EGRESS_POLICIES) |
A separate credential store |
| The boundary | An egress proxy compiled from each session's policy | Agent Proxy |
| Default | Deny — unlisted hosts are unreachable | Deny — unlisted hosts are unreachable |
| Three outcomes | policy match + credential injected / allowlist-only, no credential / blocked | rule match + credential injected / allowlist-only, no credential / blocked |
| What the model sees | Never the credential — only the response | Never the credential — only the response |
| Identity while acting | The agent/session's configured identity | The channel's service accounts (Claude app, Claude GitHub App, or a per-tool service account) |
The mechanism is close enough to be the same idea in two products: a request leaves the sandbox, hits a policy checkpoint, and only there does a credential (if any) get attached — the sandbox and the model are never handed the secret itself.
Why this shape keeps showing up
Whenever an agent's "hands" are more powerful than you want its "judgment" to be trusted with directly, the fix is the same: put the credential somewhere the agent can't read it, and put a policy — not the agent's own discretion — between a request and a live secret. Both systems also make the identity scoped to the surface, not the person: a CMA agent's identity is configured per-agent up front; a Claude Tag session acts as the channel's service accounts, not as whoever typed @Claude, so the same request does the same thing regardless of who asked.
What you configure, either way
- Allow rules — which hosts a credentialed request may reach, and which credential attaches
- Allowlist-only rules — hosts reachable without a credential (useful for public APIs)
- Everything else — blocked outright, not just unauthenticated
Cloudflare's version adds header-injection and arbitrary custom Worker proxy code as escape hatches beyond the declarative allow/deny shape; Claude Tag's admin surface (Connections, Allowed websites) is the same shape without needing you to write a proxy.
Related
- Overview
- Sandboxes
- Claude Tag: How agent identity works · Security and data handling
3a790b5d9d8b1509 · verify