SupaNet
Using SupaNet

Secrets vault

Store and share API keys, tokens, and passwords securely.

SupaNet has a secrets vault where admins can store named credentials (API keys, tokens, passwords) that the team - and the assistant - can use safely.

Storing secrets

The Secrets page (admin-only, under Governance in the sidebar) is where you add and manage credentials. Give each one a name (like stripe_api_key), an optional description, and the secret value. Once saved, the value is encrypted and stored in Supabase Vault - you will never see it again, so make sure you have it right.

When you edit a secret, you can leave the value blank to keep the existing one. This lets you update the name or description without re-entering the value.

Sharing secrets with your team

Each secret is either Workspace (shared with everyone) or Private (only you and admins can see it).

  • Workspace secrets are for shared credentials your team needs - API keys, shared service tokens, etc.
  • Private secrets are for your personal credentials.

In both cases, the secret value stays encrypted. What the UI shows are just the name and description. Only the assistant - and admins - can actually read the values.

Using secrets in automation

The assistant can fetch secrets on demand with the get_secret tool. So if you have a workflow where an agent needs to call a third-party API, you can have it fetch the key from the vault instead of hardcoding it.

Because get_secret returns a raw credential into the conversation, treat anything you store in the vault as readable by any agent you let use that tool. The vault is not a way to hide things from the assistant - it is a way to keep them out of your codebase, your prompts, and your chat history.

Discovery

The assistant can also call list_secrets to see what credentials are available (names and descriptions only, never the values). This is handy if you are not sure which key to ask for.

A practical example

Say you store stripe_api_key as a Workspace secret. Now an agent can:

  1. Call list_secrets to see it is there
  2. Call get_secret with name stripe_api_key to fetch the actual key
  3. Use that key to call Stripe

No secrets in the agent's instructions, no hardcoded values - just a reference to the vault.

On this page