Anthropic's Managed Agents now run on a schedule and store credentials securely — no custom plumbing required
Anthropic's public beta adds cron-based scheduling and a network-boundary credential vault to Claude Managed Agents, removing two common DIY infrastructure headaches.
Anthropic’s Managed Agents now run on a schedule and store credentials securely — no custom plumbing required
If you have ever tried to run an AI agent on a recurring schedule, you have probably ended up in a familiar place: a cron job that breaks at 2am, a separate secrets manager to keep API keys out of your code, and a weekend spent debugging infrastructure that has nothing to do with the actual problem you wanted the agent to solve.
Anthropic’s June 9, 2026 update to Claude Managed Agents addresses both of those problems directly. Scheduled deployments and vault-stored environment variables are now in public beta on the Claude Platform, and together they remove two of the most common reasons enterprise agent projects stall before they reach production.
What just shipped
Scheduled deployments (cron without the cron job)
You can now attach a cron schedule to a Managed Agent deployment. When the schedule fires, the agent starts a new session, does its work, and finishes. No scheduler for you to build, host, or monitor.
From the platform, you can pause, resume, or archive a scheduled deployment at any time, or trigger a run on demand outside the regular schedule. The billing side is equally straightforward: scheduled runs consume your existing Claude Platform usage, with no separate scheduling fee.
Rakuten is already using this for weekly and monthly reporting. Analysts define the task once; the agent handles the spreadsheet-to-deck pipeline on its own rhythm. Actively AI replaced hand-built scheduling infrastructure entirely, using scheduled deployments to keep its cross-account sales search results fresh. Ando uses them to monitor channels for follow-up actions and send meeting reminders autonomously.
Vault-stored environment variables (credentials that never reach the model)
The second feature solves a subtler problem. When an agent needs to call an external API, the API key has to come from somewhere. The obvious approach (putting it in the agent’s context or environment) means the model can see it, log it, or be tricked into revealing it via prompt injection.
Anthropic’s vault approach sidesteps this. You register an API key with a variable name and a list of domains it is allowed to reach. Inside the agent’s sandbox, only a placeholder exists. The real key is attached at the network boundary, and only on outbound requests to domains you have explicitly approved. The model’s context never contains the actual secret.
Updating a key is equally clean: change it in the vault, and running sessions pick up the new value on their next outbound call. No redeployment required.
Notion uses this to roll out its CLI alongside MCP tools, giving agents file-upload capabilities without tokens ever being handed to the model. KERNEL uses it to connect agents to usage and customer conversation databases, with the agent flagging unexpected surges in near real time.
Browser capabilities via authenticated CLIs
As a direct consequence of vault-stored credentials, CLIs that authenticate via HTTP headers now work properly inside Managed Agents. That includes the Browserbase and KERNEL CLIs, which give agents browser capabilities for the first time. Agents can now navigate and interact with the web as part of their tool repertoire, alongside file operations and code execution.
Browserbase built its public catalog of browser skills using this setup: a scheduled deployment periodically validates the catalog, authenticated through vaults, to keep it accurate.
Why this matters in practice
The two features address what Anthropic describes as the “unglamorous plumbing” keeping enterprise agent projects in pilot mode. Most teams building on the Claude API have had to answer two questions before going to production: what triggers the agent when no human is watching, and how does it authenticate to external services without creating a credential risk?
Until now, the answers involved either hand-rolling a scheduler and a secrets store, or accepting that agents only ran when someone manually kicked them off. Neither option scales well, and both pull engineering time away from the actual agent logic.
Claude Managed Agents launched in public beta in April 2026 with the core premise of handling the infrastructure layer, so teams focus on what the agent actually does. This update extends that promise to two areas that have remained friction points even for teams already on the platform.
It is also worth noting what the vault design does not solve. Prompt injection can still cause an agent to misuse an allowlisted tool within its granted permissions. The domain allowlist narrows that blast radius significantly, but it is not a complete defence. Anthropic acknowledges this in its documentation, and it is worth factoring into your threat model if you are working in a sensitive environment.
What this means for your team
If you are running agents that need to fire on a schedule, you can stop maintaining the scheduler. Define the cron expression in the deployment config, and the platform handles the rest.
If you have been hesitant to give agents access to external APIs because of credential risk, vault-stored environment variables give you a workable pattern. Keys stay out of the model context, domain allowlists limit where they can be used, and rotation happens without touching the deployment.
If you are still evaluating whether to build your own agent infrastructure or use a managed service, these two additions reduce the gap significantly. The cases where you need a fully custom setup are narrowing.
The full documentation for scheduled deployments and vault configuration is available in the Claude Platform docs. Both features require the managed-agents-2026-04-01 beta header; the SDK sets this automatically.