Secrets

Keep credentials out of agent-built products.

Let humans or agents create, bind, and rotate secret vaults for apps, functions, auth modules, databases, and runtimes without exposing values in source code.

Start now

Secret vaults

Store API keys, tokens, credentials, and private runtime configuration as managed ACP resources.

Resource bindings

Connect vaults to web apps, functions, auth modules, databases, and agent runtimes.

Controlled access

Keep sensitive values out of source files, prompts, generated code, and project documentation.

Rotation workflows

Rotate values centrally while connected resources keep using the vault at runtime.

Pricing

Secrets are the vault surface for API keys, credentials, tokens, and private runtime configuration.

Secret vault pricing in Compute Tokens
Secret vault	No standalone CT / live minute runtime rate Secret vaults are used by connected ACP resources.
Connected compute	Normal resource usage applies Apps, functions, computers, auth modules, and runtimes keep their own pricing model.
Secret operations	Driven by connected resources Reads are typically performed by the bound resource at runtime.

SDK functionality

The JavaScript and Python SDKs expose secret vault lifecycle, secret CRUD, bindings, analytics/log inspection where available, and file/runtime inspection through the same resource model.

SDK functionality
Lifecycle	Create, list, get, update, and delete secret vault resources from JavaScript or Python.
Secret values	List, create, read, update, and delete named secret values through client.secrets or the generic resources manager.
Bindings	Connect vaults to web apps, functions, auth modules, databases, and agent runtimes that need runtime-only access.
Runtime helpers	Use computer-agents/runtime/server inside deployed Node functions and server-side web apps to read bound secrets safely.
Operations	Review which resources can read each vault and rotate values without committing credentials into source files.

Create a secret vault and add a value

How to set it up

Start from the workflow that fits the team: create a vault from the SDK, manage it in Develop, or let an agent request the vault and wait for a human to add values.

Via SDK: create the vault, add or rotate secrets, then bind the vault to the workload that needs it.

On the platform: open Develop, create a Secret resource, add values, and connect it to apps or functions.

By agent: ask an agent to identify required secrets and prepare bindings, while a human supplies sensitive values.

How to manage

Treat secrets as production infrastructure. Rotate values intentionally, review bindings before deploys, and keep the purpose of every secret clear.

How to manage
Bindings	Review which web apps, functions, auth modules, databases, and runtimes can read a vault.
Rotation	Update secret values centrally and redeploy or restart connected resources when the downstream provider requires it.
Runtime access	Read secrets from server-side runtime helpers so values never enter browser bundles, task prompts, or source control.