Secrets

A secret holds a credential value. Two storage modes:

  • Local secret — value stored in the platform database, encrypted at rest with a Kubernetes Secret key. Use this when you don't have an external secret store.
  • Remote secret — value stored in a secret provider (e.g. Vault) and resolved at workload start.

Either kind can be referenced from an agent ENV, an MCP server ENV, a hook ENV, or an LLM provider's credentials.

Create a local secret

In the Console

  1. Console → Secrets (/organizations/<org>/secrets).
  2. Click New secret.
  3. Set:
    • Name — display name (e.g. stripe-api-key).
    • StorageLocal.
    • Value — the secret value. Masked after save.
  4. Save.

With Terraform

hcl
resource "agyn_secret" "stripe_api_key" {
  organization_id = agyn_organization.acme.id

  name  = "stripe-api-key"
  value = var.stripe_api_key
}

Source the value from your Terraform variables / CI secret manager. The value is encrypted server-side once written.

Create a remote secret

In the Console

  1. Secrets → New secret.
  2. Set:
    • Name — display name.
    • StorageRemote.
    • Provider — pick a registered provider.
    • Remote path — provider-specific identifier (e.g. for Vault KV v2: kv/data/prod/stripe-api-key, key value).
  3. Save.

The platform never stores the value itself — it stores only the reference, and resolves the value each time a workload starts.

With Terraform

hcl
resource "agyn_secret" "stripe_api_key" {
  organization_id = agyn_organization.acme.id

  name        = "stripe-api-key"
  provider_id = agyn_secret_provider.vault_prod.id
  remote_path = "kv/data/prod/stripe-api-key"
  remote_key  = "value"
}

Use a secret

Secrets are useful only when referenced. The main consumers:

Rotate a secret

Local secrets:

  • Console → secret → Edit → paste new value → Save.
  • Terraform: update value, apply.

Remote secrets rotate in the provider — the platform reads the latest value on every workload start. No platform-side action needed unless you change the path.

Workloads already running keep their injected value until restart. Stop the workload in Activity → Workloads for an immediate rotation.

Delete a secret

Deleting a secret breaks any ENV, LLM provider, or image pull secret that references it. The Console lists references before allowing the delete.

Authorization

  • Reading a secret's metadata (name, storage, provider, path) requires member on the organization.
  • Reading the actual value is only ever done by the orchestrator and LLM Proxy at runtime — no user-facing endpoint returns plaintext.
  • Writing or deleting a secret requires owner on the organization.