> ## Documentation Index
> Fetch the complete documentation index at: https://docs.creao.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Secret Key Management

> Securely store API keys, tokens, and credentials so the agent can use them in conversations without exposing sensitive values.

## Overview

Secrets let you store sensitive credentials — API keys, bearer tokens, database passwords — that the agent can access as environment variables during conversations. Values are encrypted at rest and never displayed in plain text after creation.

<Note>
  Secrets are scoped to your account. Each secret is available as `process.env.SECRET_NAME` inside the agent sandbox.
</Note>

## The Secrets page

The Secrets page shows all your stored credentials as cards with masked values. Each card displays the secret name, description, and creation date.

<Frame caption="The Secrets page showing saved API keys and tokens">
  <img src="https://mintcdn.com/creaoagent/L7jvWhXluKR0aaCS/images/secrets-page.png?fit=max&auto=format&n=L7jvWhXluKR0aaCS&q=85&s=f854eaec5beb18a4e568c305281210c2" alt="Secrets page with multiple secret cards showing masked values" width="1280" height="800" data-path="images/secrets-page.png" />
</Frame>

## From chat

When the agent needs an API key for a service that is not connected as a [built-in integration](/integrations), it may ask you to save a credential with an **in-chat secure field**. Use that field instead of pasting the key in the main message box — the value is stored the same way as secrets you add on this page (encrypted, available as `process.env.YOUR_NAME` in the sandbox). You can still manage everything from **Secrets** in the sidebar or account settings.

## Adding a secret

<Steps>
  <Step title="Open the Secrets page">
    Click **Secrets** in the sidebar navigation to open the secret management page.
  </Step>

  <Step title="Click Add secret">
    Click the **Add secret** button in the top right corner.
  </Step>

  <Step title="Fill in the details">
    Enter the secret details:

    * **Name** — an uppercase identifier like `X_BEARER_TOKEN` or `NOTION_API_KEY`. This becomes the environment variable name (`process.env.X_BEARER_TOKEN`). Only uppercase letters, digits, and underscores are allowed.
    * **Value** — the actual secret value (API key, token, password). Hidden by default — click the eye icon to reveal it while typing.
    * **Description** (optional) — a note to help you remember what this secret is for.
  </Step>

  <Step title="Save">
    Click **Save secret**. The secret is encrypted and stored securely.
  </Step>
</Steps>

## Example: Adding an X (Twitter) Bearer Token

Let's walk through a real example — adding an X API bearer token so the agent can search tweets and find mentions.

<Steps>
  <Step title="Get your X Bearer Token">
    Go to the [X Developer Portal](https://developer.x.com) and copy your app's Bearer Token from the **Keys and tokens** section.
  </Step>

  <Step title="Add the secret">
    Open **Secrets** → **Add secret** and fill in:

    * **Name**: `X_BEARER_TOKEN`
    * **Value**: paste your bearer token (e.g., `AAAAAAAAAAAAAAAAAAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX`)
    * **Description**: `X/Twitter API Bearer Token for search and mentions`

    <Frame caption="Adding the X Bearer Token as a secret">
      <img src="https://mintcdn.com/creaoagent/L7jvWhXluKR0aaCS/images/secrets-add-dialog.png?fit=max&auto=format&n=L7jvWhXluKR0aaCS&q=85&s=fe2513ada70d328f05902df198a25484" alt="Add secret dialog filled with X_BEARER_TOKEN" width="1280" height="800" data-path="images/secrets-add-dialog.png" />
    </Frame>
  </Step>

  <Step title="Verify the secret was saved">
    After saving, the secret appears as a card on the Secrets page. The value is masked for security.

    <Frame caption="The Secrets page showing your saved secrets with masked values">
      <img src="https://mintcdn.com/creaoagent/L7jvWhXluKR0aaCS/images/secrets-page.png?fit=max&auto=format&n=L7jvWhXluKR0aaCS&q=85&s=f854eaec5beb18a4e568c305281210c2" alt="Secrets page with secret cards" width="1280" height="800" data-path="images/secrets-page.png" />
    </Frame>
  </Step>

  <Step title="Use it in chat">
    Now ask the agent to use the token. For example:

    ```
    Search X for recent mentions of @CreaoAI using my X_BEARER_TOKEN secret
    ```

    <Frame caption="Asking the agent to use the X_BEARER_TOKEN secret to search for mentions">
      <img src="https://mintcdn.com/creaoagent/Qe1AeD0g4oCCFKCZ/images/secrets-use-in-chat.png?fit=max&auto=format&n=Qe1AeD0g4oCCFKCZ&q=85&s=44123e4c49611924cef553ece642761f" alt="Chat input with a prompt referencing the X_BEARER_TOKEN secret" width="1280" height="800" data-path="images/secrets-use-in-chat.png" />
    </Frame>

    The agent will access `process.env.X_BEARER_TOKEN` in the sandbox and use the X API to fetch results.
  </Step>
</Steps>

## How secrets work in the agent sandbox

When the agent runs code in its sandbox environment, all your secrets are injected as environment variables:

```python theme={null}
import os

# Access your secret in Python
bearer_token = os.environ["X_BEARER_TOKEN"]

# Use it in an API call
import requests
headers = {"Authorization": f"Bearer {bearer_token}"}
response = requests.get(
    "https://api.x.com/2/tweets/search/recent",
    params={"query": "@CreaoAI"},
    headers=headers,
)
```

```javascript theme={null}
// Access your secret in Node.js
const bearerToken = process.env.X_BEARER_TOKEN;

// Use it in an API call
const response = await fetch(
  "https://api.x.com/2/tweets/search/recent?query=@CreaoAI",
  { headers: { Authorization: `Bearer ${bearerToken}` } }
);
```

<Warning>
  Secrets are injected into every agent sandbox session. Only store credentials you are comfortable the agent having access to.
</Warning>

## Managing secrets

### Editing a secret

Click the pencil icon on any secret card to update its value or description. You can change the value without re-entering the current one — leave the value field blank to keep the existing value.

### Deleting a secret

Click the trash icon on the secret card and confirm the deletion. Any agent conversations that reference the deleted secret will no longer have access to it.

### Naming conventions

| Pattern                | Example             | Use for                           |
| ---------------------- | ------------------- | --------------------------------- |
| `SERVICE_API_KEY`      | `OPENAI_API_KEY`    | API keys for third-party services |
| `SERVICE_BEARER_TOKEN` | `X_BEARER_TOKEN`    | OAuth bearer tokens               |
| `SERVICE_SECRET`       | `STRIPE_SECRET`     | General secrets and passwords     |
| `DB_PASSWORD`          | `POSTGRES_PASSWORD` | Database credentials              |

<Tip>
  Use descriptive names that make it clear which service the secret belongs to. The agent can see the environment variable names and will choose the right one based on context.
</Tip>

## Security

* **Encrypted at rest** — secret values are encrypted before being stored in the database
* **Never displayed** — after creation, the full value is never shown in the UI (displayed as `••••••••`)
* **Sandbox isolation** — secrets are only accessible inside the ephemeral agent sandbox, not in the browser
* **Per-user scope** — your secrets are only available to your agent sessions, not shared across accounts