Proton Pass: Can the new AI Access Tokens make AI agents safer?

On 22 May 2026, Swiss company Proton announced a new feature called AI Access Tokens for its password manager Proton Pass. The idea is to let AI agents and scripts access individual password-manager entries in a scoped, auditable way. The problem Proton is going after is how AI agents tend to handle secrets today. When an agent needs a password, it often sits directly in the prompt or in a .env file. And when AI agents do reach into a password manager, their permissions are usually broad. OWASP calls the pattern “Excessive Agency”. For SMEs running AI agents in accounting, sales, or support, the question is whether the new feature actually moves the needle. We took a closer look.

What are AI Access Tokens?

An AI Access Token is an access token that grants restricted access to one or more Pass vaults. You create it in the Pass settings. The corresponding code snippet is then embedded in the agent or the script. That lets the agent access the entries via the Proton Pass CLI. Proton highlights three properties that define AI Access Tokens:

• Scoped: The token is bound to selected vaults. The agent gets read access to entries in those vaults but can’t add or change anything. Whoever obtains the token sees only what’s inside the vaults the token covers.
• Expiring: The lifespan can be set anywhere from one hour to one year. After expiry, the token stops working. It can also be revoked manually at any time.
• Auditable: Every access through the token is logged together with a reason in an audit log. The log shows which entry was retrieved, when, and for what purpose.

Technically, AI Access Tokens are designed along similar lines to Personal Access Tokens for the Pass CLI. The credentials themselves remain end-to-end encrypted and are only decrypted locally in the Proton client that uses the token. For teams, the feature is available in Pass Professional and Proton Workspace; for individuals and families, in Pass Plus, Pass Family, and Proton Unlimited. If your team doesn’t have a password manager in place yet: Proton Pass for Business is the direct entry point.

Where can SMEs put the new AI Access Tokens to use?

Proton describes several concrete scenarios in its own blog post. Two of them are particularly relevant for SMEs.

The first scenario is an AI agent that pulls monthly transactions from a banking or card portal for accounting, categorises them, and flags unusual activity. In practice, that has meant either handing the agent the full banking credentials, or exporting the data manually. With an AI Access Token in the “Accounting” vault, the agent has access to exactly that one entry. The audit log shows when the AI agent logged in.

The second scenario is a sales or customer-success agent that checks the CRM for what happened most recently with a lead before a customer call, then drafts follow-up emails. Most teams today give the agent service-account access to the entire CRM. A scoped token that sees only the CRM entry in the “Sales” vault and expires after three hours limits the blast radius if the agent pipeline is manipulated or compromised. Proton describes similar setups for Jira triage, fitness reports, or energy dashboards. In every case, it pays to set up a dedicated vault per agent, clearly separated from your main vault.

Where does the AI Access Token feature hit its limits?

The new feature has clear upsides, but also clear limits.

First, the token itself is a bearer credential. Whoever gets hold of it sees everything in the scoped vault until the token expires or is revoked. That’s better than a leaked master password, but it’s not full protection. AI Access Tokens have to be treated like privileged API keys. That means short lifespans and regular secret rotation. As always, these credentials shouldn’t be checked into a repository. The audit log also gives you a way to review access regularly. That said, it appears the log can only be exported manually as a CSV from the admin panel. Native SIEM integrations are already on offer at 1Password (Splunk), Bitwarden (Splunk), and Keeper (Splunk, Sentinel, Datadog, syslog). To feed Proton’s access events into an existing security monitoring pipeline today, you have to go through the manual export.

Second, AI Access Tokens are no substitute for 2FA on third-party accounts. They only control how the agent gets at the credentials. If the banking account isn’t protected by a strong second factor, even the best token won’t help once the password leaks somewhere else. The Proton account itself also needs strong 2FA. Anyone with access to it can create or revoke AI Access Tokens at will.

Third, the feature doesn’t protect against prompt injection or goal hijacking. An agent that is misled through manipulated web pages, emails, or tickets can use its token legitimately and still cause damage. The audit log helps with the post-mortem, but it doesn’t prevent the incident.

Fourth, AI Access Tokens don’t help on a compromised device. Malware can read tokens or already-fetched credentials directly out of memory. That’s not specific to Proton. AI Access Tokens are just one layer in the security model. The endpoint remains its own line of defence.

How are other password managers handling AI agents?

The other major vendors are approaching the same problem differently. 1Password and Keeper go for “access without exposure”. Secrets are injected at runtime into browsers, processes, or coding tools like Claude Code, Cursor, or Codex, without ever entering the LLM context. The model never sees the cleartext; it only works with the authenticated session.

Bitwarden takes a mixed approach. An MCP server enables vault actions through AI assistants. The Agent Access SDK is explicitly positioned as a response to AI agents being handed “the keys to everything” today. It passes secrets to the agent at runtime without making them visible inside the model context. Bitwarden also recommends running locally hosted models so activity stays under your own access controls.

Proton takes a pragmatic middle ground. AI agents can use secrets via the CLI but only with restricted access, time-limited, and audited. That’s less strict than “access without exposure”, but easier to set up than a dedicated Privileged Access Management (PAM) solution. For many SME scenarios, particularly classic web logins without MCP integration, it can be a sensible compromise if Proton Pass is already in use at the company. Otherwise, it’s worth looking at the options from Bitwarden, 1Password, or Keeper.

How can you use the new feature for AI agents?

• Create a separate vault for each AI agent and store only the entries that agent needs for its task. Keep the banking entry separate from the CRM entry.
• Set short lifespans for sensitive workflows. One hour is enough for one-off scripts, a few days for recurring agents. Year-long lifespans should be the exception.
• Enable and check 2FA on all third-party accounts and on your Proton account itself. Hardware keys or passkeys are a worthwhile goal.
• Review the audit logs regularly to catch problems early. The logs can help you understand which entries were retrieved when and with what reason.

Sources

• Proton Blog (EN): Proton Pass: A password manager for AI agents
• Proton Blog (DE): Proton Pass: Ein Passwortmanager für KI-Agenten
• Proton Pass Roadmap Spring/Summer 2026: proton.me/blog/pass-roadmap-spring-summer-2026
• News4Hackers: Proton Pass introduces secure credential sharing for AI agents
• CyberInsider: Proton Pass adds new protections for AI agents with account access

Further reading: our comparison of password managers for SMEs and the full Proton Pass review.