Secrets vault
Store and share API keys, tokens, and passwords securely.
SupaNet has a secrets vault where admins can store named credentials (API keys, tokens, passwords) that the team - and the assistant - can use safely.
Storing secrets
The Secrets page (admin-only, under Governance in the sidebar) is where you
add and manage credentials. Give each one a name (like stripe_api_key), an
optional description, and the secret value. Once saved, the value is encrypted
and stored in Supabase Vault - you will never see it again, so make sure you have
it right.
When you edit a secret, you can leave the value blank to keep the existing one. This lets you update the name or description without re-entering the value.
Sharing secrets with your team
Each secret is either Workspace (shared with everyone) or Private (only you and admins can see it).
- Workspace secrets are for shared credentials your team needs - API keys, shared service tokens, etc.
- Private secrets are for your personal credentials.
In both cases, the secret value stays encrypted. What the UI shows are just the name and description. Only the assistant - and admins - can actually read the values.
Using secrets in automation
The assistant can fetch secrets on demand with the get_secret tool. So if you
have a workflow where an agent needs to call a third-party API, you can have it
fetch the key from the vault instead of hardcoding it.
Because get_secret returns a raw credential into the conversation, treat
anything you store in the vault as readable by any agent you let use that tool.
The vault is not a way to hide things from the assistant - it is a way to keep
them out of your codebase, your prompts, and your chat history.
Discovery
The assistant can also call list_secrets to see what credentials are available
(names and descriptions only, never the values). This is handy if you are not
sure which key to ask for.
A practical example
Say you store stripe_api_key as a Workspace secret. Now an agent can:
- Call
list_secretsto see it is there - Call
get_secretwith namestripe_api_keyto fetch the actual key - Use that key to call Stripe
No secrets in the agent's instructions, no hardcoded values - just a reference to the vault.