What gets stored here
Typical secrets include:GITHUB_TOKENRESEND_API_KEYDATABASE_URLPRIVY_APP_IDPRIVY_APP_SECRET- Provider tokens for X, Twilio, Cloudflare, Google Workspace, Replicate, and others
Secret access modes
Global
A global secret is automatically available to all of your instances.Instance specific
An instance specific secret stays locked until you grant that instance access. Use this when different agents should use different accounts, repositories, or environments.Important behavior
- Secret values are encrypted at rest.
- You only see the full value once when you create it.
- Installing a skill does not create or grant its secrets.
- The matching secret still needs to exist and be accessible.
Common skill requirements
| Skill or workflow | Typical secret names |
|---|---|
| GitHub | GITHUB_TOKEN |
| Vercel deploys | VERCEL_TOKEN, GITHUB_TOKEN |
| Resend | RESEND_API_KEY |
| Privy | PRIVY_APP_ID, PRIVY_APP_SECRET |
| PostgreSQL | DATABASE_URL |
| X | X API secrets used by your X skill setup |
| Twilio | Twilio account secrets used by your SMS skill setup |
| Cloudflare | Cloudflare API token |
How managed skills use secrets
Managed skills fetch secrets at runtime. That means:- values are not hardcoded into the skill
- rotated secrets are picked up on the next use
- cron jobs inside an instance should also fetch secrets at runtime
Recommended workflow
- Add the secret in Environment.
- Decide whether it should be global or instance specific.
- If it is instance specific, grant access to the right instance.
- Ask the manager or the agent to use the skill.