Docs · Secrets

Secrets and the vault.

Agents are only as safe as their credentials. Qoren stores secrets encrypted at rest in a per-organization vault, injects them into agents only when you explicitly select them, and isolates every agent under its own system user.

How the vault works

The vault (Secrets in the sidebar) holds your organization's reusable secrets: API keys, tokens, and env vars your agents need. Saved secrets become selectable whenever you deploy or configure an agent.

  • Values are encrypted at rest and are write-only in listings: the list shows names and descriptions, never values.
  • Revealing a stored value is an explicit action, and every reveal is audited.
  • Updating a secret re-injects the new value into the agents that use it.
  • Deleting a secret removes it from the vault; agents keep the value already written to their .env until reconfigured.

Value secrets and file secrets

A secret is either a plain value (an API key, a token) or a file (a service-account JSON, a PEM key, anything up to 1 MB). File secrets keep their extension so the on-disk filename the agent sees makes sense.

How secrets reach an agent

Injection is opt-in, per agent. When deploying or configuring, tick the vault secrets this agent should get; nothing is ever auto-shared. Your browser only ever sends secret names; the server decrypts the values and writes them into the agent's .env server-side, so decrypted values never travel through the client.

  • Template-declared variables: templates prompt for required and optional keys; typed values are sent once over TLS and written to the agent's .env.
  • Managed model key: when a template needs OPENROUTER_API_KEY, the platform-managed key (or your BYOK key) is injected automatically.
  • Messaging gateway credentials (Telegram, Slack, and others) are entered as structured settings and expanded into the env vars the runtime reads.

The isolation model

Isolation is layered so one leak or one misbehaving agent stays small.

  • Each client or organization gets separate environments, agents, secrets, and files are never shared across them.
  • Each agent on an environment runs under its own system user with its own home directory and .env.
  • Secrets are scoped to the organization that saved them and injected only where selected.

Least-privilege guidance

The platform isolates what you give it, but what you give it is still the decision that matters most.

  • Give each integration the narrowest token that works, read-only where the agent only reads.
  • Use separate credentials per agent, so one leak does not unlock everything.
  • Rotate a credential whenever it has been shared, logged, or pasted anywhere outside the vault.

Workspace files are not secrets

Templates can seed an agent with workspace files, an ICP description, a voice guide, a watchlist. These live under workspace/ in the agent's home directory and are editable content, capped at 256 KB per file. Keep credentials in secrets, not in workspace files: workspace files are neither encrypted at rest nor write-only.

Frequently asked questions

Not by default. Listings show names and descriptions only. A stored value can be revealed explicitly, and each reveal is audited.

Keep reading

See it with a real agent.

The fastest way to understand the flow is to deploy a template and watch its first run.

Start free trial