BetterClaw
Connect Your Tools

Secrets

Store API keys and credentials in an encrypted, workspace-scoped vault.

Secrets

The secrets vault stores credentials your agents need — API keys, logins, and OAuth grants — encrypted and scoped to your workspace. You store a value once, assign it to the agents that need it, and they use it without ever seeing the raw secret. Plaintext is never shown back after you save it.

Open Settings ▸ Secrets from the left rail.

Secret types

When you add a secret you pick one of three types:

TypeUse it for
API keyA single key or token for a service.
PasswordA username and password pair.
GenericAny other single value.

OAuth grants also appear in the vault — those come from connecting a connector rather than being added by hand. You can filter the list by All, API key, Password, or OAuth.

Add a secret

  1. Open Secrets and select Add secret.
  2. Choose the type.
  3. Enter a name and the value(s).
  4. Optionally turn on Extended audit retention (see below).
  5. Select Create secret.

Assign to agents

A secret is only usable by the agents you grant it to. Each row shows the agents that currently have access; open the agent popover to grant or revoke access per agent. Open a secret to see its detail slideover, where each secret exposes a reference like secrets.MY_KEY that agents use to read the value, along with its masked preview, when it was last used, total access count, and the agents with access.

Extended audit retention

Turn on Extended audit retention when adding a secret to keep its access log for 1 year instead of the default 90 days — useful for especially sensitive credentials. This option is available on the Pro plan.

Security

  • Secrets are encrypted and scoped to the workspace.
  • Values are masked in the UI — plaintext does not round-trip back to your browser after saving.
  • Agents read a secret by reference and never see the raw value.
  • Every read, grant, and revoke is recorded in the audit log.
Deleting a secret removes it and its access log permanently, and agents that rely on it stop working immediately. If a secret is exposed, rotate it at the provider and update the value here.