My Secrets

Manage environment variables and encrypted secrets for your plugins and MCP servers. Securely store API keys, tokens, and configuration values.

On this page

The My Secrets page lets you manage environment variables and encrypted secrets. These values are passed to your MCP servers and skills at runtime, providing API keys, tokens, and configuration values they need to function.

How Secrets Work

Secrets and environment variables are the secure way to provide sensitive configuration to your MCP servers and skills. Instead of hardcoding API keys or credentials into your skill content or server configurations, you store them here and they are injected automatically at runtime.

Each variable is associated with a specific plugin, keeping your secrets organized and scoped to the services that need them.

Browsing Your Secrets

The secrets table groups variables by plugin and shows:

  • Variable Name — The name of the environment variable (in UPPER_SNAKE_CASE)
  • Plugin — Which plugin the variable belongs to
  • Type — Whether the value is encrypted or stored as a plain environment variable
  • Value — The current value (encrypted values are masked)
  • Actions — Edit or delete the variable

Summary stats at the top show the total number of variables and how many are encrypted.

Adding a New Secret

Click the add button to open the side panel form with the following fields:

  • Plugin — Select which plugin this secret belongs to from the dropdown
  • Variable Name — The environment variable name, in UPPER_SNAKE_CASE (e.g., GITHUB_API_TOKEN)
  • Value — The secret value (API key, token, password, etc.)
  • Encrypt — Toggle to encrypt the value using ChaCha20-Poly1305 encryption

When to Encrypt

Enable encryption for any sensitive value — API keys, passwords, tokens, and credentials. Plain environment variables are appropriate for non-sensitive configuration like feature flags, region settings, or display preferences.

Encrypted secrets use ChaCha20-Poly1305 authenticated encryption, a modern and secure encryption algorithm. Once encrypted, the original value cannot be viewed — you can only replace it with a new value.

Editing and Deleting Secrets

Use the action buttons to edit or delete variables. When editing an encrypted secret, the current value is not displayed — you can enter a new value to replace it. Deleting a variable removes it permanently.

Tips

  • Use descriptive, consistent naming conventions for your variables (e.g., SERVICENAME_API_KEY)
  • Always encrypt sensitive values like API keys, passwords, and tokens
  • Check plugin documentation to see which environment variables a plugin expects
  • If an MCP server is not working correctly, verify that all required secrets are configured and have valid values