deco Studio

Secrets

Store API keys, tokens, and sensitive values — encrypted, scoped, and never returned over the API

What are secrets?

Secrets are sensitive values — API keys, tokens, passwords — that your agents and connections need but that should never be stored in plain text. Manage them under Settings → Secrets.

Every secret is encrypted at rest in Studio’s credential vault. Once stored, a secret’s value is never returned over the API — Studio can use it, but it can’t be read back out, even by you.

Scopes

Each secret has a scope that controls who can use it:

  • Organization — visible to all members of the org. Use this for shared credentials your team’s agents rely on.
  • Private — visible only to you. Use this for personal keys you don’t want to share.

Names are case-insensitive within a scope and may contain letters, digits, underscores, dots, and hyphens (for example, STRIPE_API_KEY ).

Creating a secret

  1. Open Settings → Secrets.
  2. Click New secret.
  3. Pick a scope (Organization or Private), give it a name and value, and optionally a description of what it’s for.
  4. Click Create secret.

The value is written straight to the vault. To rotate a secret, create it again with the same name; to stop using one, delete it.

Secrets are for arbitrary sensitive values. Credentials for a specific connection (OAuth tokens, per-connection keys) are managed where you set up that connection — also encrypted, also never exposed to your team.

Found an error or want to improve this page?

Edit this page