Managing Secrets & API Keys
Published February 27, 2026 · Last updated March 5, 2026 · 3 min read
Secrets let you store API keys, tokens, and credentials so your agent can connect to external services — without ever exposing sensitive values in chat.
Think of it like a password manager for your agent. You provide the key once, Obvious encrypts it, and the agent uses it whenever it needs to authenticate.
Adding a Secret Through the Agent
The quickest way: tell the agent what you're connecting to.
I need to connect to the Stripe API — here's my key.
The agent presents a secure input card right in chat. You paste your key, choose who can access it, and save. The value is encrypted immediately — it never appears in the conversation.
You can also be more specific:
Set up a connection to our Postgres database. I have the host, port, username, and password.
The agent requests exactly the fields it needs, grouped by service. Each field gets its own secure input, so you're never pasting credentials into plain text.
Adding Secrets in Settings
Open Settings → Connectors in the sidebar. Workspace-scoped secrets appear here with the name, last update date, and who created them.
Secrets created through the agent show up here too. You can delete workspace-level secrets from this page if you have editor access or created the secret yourself.
Who Can Access a Secret
When you save a secret, you choose its scope — who else can use it:
- Only me — Available across all your projects, but nobody else can access it.
- Workspace members — Anyone in the workspace can use this secret in their projects.
- Team members — Shared with a specific team you select.
- Project members — Only available within the current project.
The agent detects existing secrets automatically. If you've already saved a Stripe key at the workspace level, the agent won't ask for it again — it picks up what's already there.
How Agents Use Secrets
Once saved, secrets are available to the agent as environment variables. The naming convention is SECRET_ followed by the key name:
SECRET_STRIPE_API_KEY
SECRET_DATABASE_URL
SECRET_GITHUB_PAT
The agent accesses these automatically when running code, making API calls, or executing tasks. You don't need to reference the variable name yourself — the agent knows which secrets are available and uses the right one for the job.
Security
Obvious encrypts every secret with AWS KMS before storing it. Here's what that means in practice:
- Encrypted at rest. Your credentials are never stored as plain text. Each workspace gets its own encryption key.
- Never visible in chat. If a secret value accidentally appears in shell output, Obvious masks it automatically — showing only the first and last few characters.
- Scoped access. A secret saved to "Only me" is invisible to other workspace members, even admins. Scope controls who can decrypt it.
- Soft-deleted, not erased. When you remove a secret, it's deactivated immediately but retained for audit purposes.
Tips
Tip: Group related credentials together. When connecting to a service that needs multiple values (like a database host, port, and password), ask the agent in one message. It creates a single card with all the fields.
Warning: Deleting a secret can break running tasks and scheduled automations that depend on it. Check what's using a credential before you remove it.
Next Steps
- Setting Up Integrations — Connect Obvious to Slack, email, calendars, and more.
- Tasks & Schedules — Automate workflows that use your connected services.
- Webhooks — Trigger actions in Obvious from external events.