kubbiai

AI Agent Data Handoff Is Broken by Default

Kubbi Team6 min read
When one agent hands a database credential to the next agent in your pipeline, where does that credential live? In the message. In the queue. In the log your orchestration framework wrote automatically.

When one agent hands a database credential to the next agent in your pipeline, where does that credential live? In the message. In the queue. In the log your orchestration framework wrote automatically. In the replay buffer you turned on for debugging. In three places you forgot about and one place you didn't know existed.

That's not hypothetical. That's what LangGraph workflows, CrewAI tasks, and custom async pipelines do by default. Data handoff between agents is an afterthought. A dict passed to the next step, a secret that travels through your entire orchestration layer unencrypted because that's what the framework made easy.

Here's what a proper handoff looks like, and how to get there without touching your pipeline structure.

What "Data Handoff" Actually Means in a Multi-Agent System

In a single-agent workflow, sensitive data has one home. In a multi-agent workflow, it moves. The authentication token your orchestrator fetches from Vault gets passed to the API agent. The PII your extraction agent pulls from a document gets passed to the validation agent. The credentials your provisioning agent generates get passed to the human reviewer who needs to approve them.

Each of those transfers is a handoff. And each handoff is a moment where the data exists in a state you didn't fully design.

The producing step created it. The consuming step will use it. In between, it's just... somewhere. In a queue message. In an in-memory object that got serialized. In an intermediate state store you stood up to handle pauses.

Most engineers treat this as a storage problem. Find somewhere to put the data between steps. That framing is wrong.

The Three Patterns That Break

Pattern 1: Pass Through the Message

The simplest pattern. The producing agent puts the credential or token directly in the message body, and the consuming agent reads it out.

It works until it doesn't. Message queues log payloads. Your observability stack traces payloads. Anyone with queue access has credential access. When the consuming agent fails and the message gets dequeued, the credential sits in dead-letter storage indefinitely. You don't control when it's gone. The queue does.

Pattern 2: Store and Reference

The producing agent writes sensitive data to a database row or S3 object. It passes a reference ID to the consuming agent, which fetches the data directly.

You've separated the reference from the data, which is better. But the data in that store doesn't know it's temporary. It doesn't expire unless you write the expiry logic. It doesn't get deleted unless you write the deletion logic. That cleanup code becomes part of your codebase. It shows up in your monitoring, your run books, your on-call rotation. The duct tape has its own maintenance burden.

Pattern 3: Environment Variables

Still common in smaller pipelines. Credentials get set as environment variables and agents read them directly.

No TTL. No revocation. No audit trail. If an agent process gets compromised, everything in the environment is exposed. Most teams already know this pattern is bad but haven't replaced it because replacing it is annoying, and annoying problems tend to wait.

Why These Patterns Survive Anyway

Here's my read on it: the reason these patterns survive isn't ignorance. Engineers building multi-agent systems know that dumping credentials into a message queue is messy. They know the S3 approach needs cleanup logic. They know environment variables aren't a long-term answer.

They survive because fixing them properly costs more time than the current duct tape saves. Standing up a secrets manager integration, writing expiry jobs, adding revocation logic, building an audit trail. That's a week of work for a problem that hasn't burned you yet.

So the duct tape stays. Then something breaks. A contractor gets queue access, a debug log gets shipped to a third-party APM tool, a cleanup job fails silently. The week of work happens anyway, but reactively, under pressure.

The trade-off is wrong. Not because the duct tape is unacceptable, but because the alternative doesn't have to cost a week.

What a Proper Data Handoff Looks Like

A proper AI agent data handoff has four properties:

The payload is encrypted before it leaves the producer, claimable only within a fixed window, and gone when that window closes. Whether the consumer ever showed up. The producer can revoke early if something was wrong.

Those four properties close the failure modes the three broken patterns leave open.

Kubbi is built around this. The producer calls kubbi.create() with the payload, a TTL, and an optional claim limit. Kubbi returns a claim URL. The producer passes the URL. Not the data. To the next step. The consumer calls kubbi.claim() with the URL and gets the payload.

The sensitive data never travels through your orchestration layer. Your LangGraph graph, your CrewAI task chain, your custom pipeline. All of them pass around a URL. The payload is encrypted at rest with AES-256, expires on schedule, and one claim takes it down.

How This Fits Into an Existing Workflow

You don't replace your orchestration layer. Kubbi slots into the places where data currently leaks.

In a LangGraph workflow, the node that fetches credentials calls kubbi.create() instead of returning them raw. It returns the claim URL as part of its output. The downstream node calls kubbi.claim() as its first action. The graph state never holds the credentials directly.

In a CrewAI task chain, the task that generates a sensitive artifact stores it via kubbi.create() and passes the URL in its output. If the next task never runs. Because the chain fails, because a condition isn't met. The payload expires anyway. You don't write cleanup code for that case. It's just gone.

The human-in-the-loop case is where this gets especially clean. The reviewer gets a claim URL, opens it, claims the payload, and it disappears. No shared S3 bucket with IAM policies. No database row waiting for a manual deletion step. The claim URL is the entire interface.

The Audit Trail You're Currently Missing

Every kubbi.create() and kubbi.claim() call is logged. You get a record of who created a payload, when it was claimed, whether it expired unclaimed.

That last case matters more than it sounds. An unclaimed payload that expires tells you the consuming step never ran. Useful debugging signal in a multi-agent system where failure modes are genuinely hard to trace. It's also a compliance record. You can demonstrate the credential was temporary and that it's gone.

The three broken patterns don't give you this. Queue messages get deleted or rotated. Database rows get cleaned up eventually, maybe. Environment variables leave no trail at all.

The Revocation Case

Say your pipeline is paused. The producer created a kubbi with a 24-hour TTL and passed the claim URL to a human reviewer. An hour later you realize the payload was wrong. Credentials for the wrong environment, or PII from the wrong customer.

With a database row, you update the row, but the consumer might've already read it and cached it locally. With a queue message, you might be able to pull it from dead-letter, but only if it hasn't been redelivered. With an environment variable, you're out of luck.

With Kubbi, the producer calls revoke. The claim URL stops working immediately. The consumer can't claim the payload regardless of TTL. Nothing was exposed, and there's a log entry showing the revocation.

Revocation is load-bearing, not decorative. In any workflow where humans are involved, the data being handed off is sometimes wrong, and you need a way to say "stop, don't use that". Cleanly, with a record.

One Integration, Every Handoff

The integration surface is two methods: kubbi.create() on the producer side, kubbi.claim() on the consumer side. Wrap them in a LangChain tool, a CrewAI task action, a FastAPI endpoint, or a plain function call. It fits wherever data currently moves between steps.

You're not standing up infrastructure or writing expiry logic. Two method calls and the handoff is handled. Two method calls. The credential doesn't linger, and there's a record that it's gone.

If your pipeline touches credentials or PII, it has handoff failure modes. You're already working around them. Kubbi closes them without changing how your pipeline is structured.

Get started free at kubbi.ai. The first handoff takes about ten minutes to wire up.