GITHUB_TOKEN and it can work with your repos, give it a DATABASE_URL and it can query your database, give it any API key and it can call that API.
You do not need a pre-built integration for every service. Store a credential here, grant it to an instance, and the agent can use it.
What gets stored here
| Category | Examples |
|---|---|
| Source control | GITHUB_TOKEN |
RESEND_API_KEY | |
| Database | DATABASE_URL |
| Weather / geo | OPENWEATHER_API_KEY |
| Wallets | PRIVY_APP_ID, PRIVY_APP_SECRET |
| Social | X API secrets, Twilio secrets |
| Infrastructure | Cloudflare API token, VERCEL_TOKEN |
| AI models | Replicate, fal.ai tokens |
Access modes
- Global
- Instance specific
A global secret is automatically available to all instances, including variant instances created during agent evolution.Use for secrets that every agent should have access to.
Important behavior
- Secret values are encrypted at rest (AES-256-GCM).
- You only see the full value once when you create it.
- Installing a skill does not create or grant its secrets.
- The matching secret still needs to exist and be accessible.
Common agent requirements
| Agent or integration | Required secrets |
|---|---|
| GitHub | GITHUB_TOKEN |
| Vercel deploys | VERCEL_TOKEN, GITHUB_TOKEN |
| Resend | RESEND_API_KEY |
| Privy | PRIVY_APP_ID, PRIVY_APP_SECRET |
| PostgreSQL | DATABASE_URL |
| X | X API secrets |
| Twilio | Twilio account secrets |
| Cloudflare | Cloudflare API token |
Recommended workflow
Related docs
Integrations
What secrets connect to
Instances
Where secrets get used
Agents
How agents consume secrets at runtime
API
Manage secrets programmatically