Keyvault
Securely store and manage your API keys, credentials, and sensitive data.
Short summary: Keyvault is a centralized, secure store where users add keys and secret values (API keys, credentials, tokens, etc.). Secrets remain stored until the user explicitly revokes them. Storing secrets in Keyvault reduces exposure and ensures controlled access across the platform.
💡 Core Concepts
To use Keyvault effectively, you should understand these key concepts.
1. Secret
A Secret is a key/value pair where key is the identifier (e.g., OPENAI_API_KEY) and value is the sensitive content (the actual key string). The Keyvault stores the secret securely so it can be retrieved by authorized agents and services at runtime.
2. Revocation
Secrets live indefinitely until you explicitly revoke them. Revoking a secret immediately prevents further retrieval and signals consumers to refresh credentials.
3. Protection
Keyvault encrypts your keys both at rest and in transit. Once saved, no one (not even you or the administrators) can view the plaintext value of the secret again. You can only revoke it.
4. System Set Tokens
There are system set tokens that Svahnar sets for certain tools and agents used on behalf of the user. These are your OAuth tokens and other tokens used when you login to other applications. Note that these tokens cannot be deleted by you directly.
⚙️ Configuration & Usage
Add a Secret
Adding keys to the Keyvault ensures sensitive values are securely stored and retrievable only by authorized services.
- Navigate to Keyvault
- From the header, click Keys.
- In the left-hand sidebar, click Key vault to open the Keyvault panel.
- Click Add Keys
- Press the Create Keys (or + Add Secret) button.
- A modal will open where you can enter the key details.
- Fill in details
- Key name: An identifier for your secret (e.g.,
OPENAI_API_KEY). - Key Value: The actual secret value (e.g., your OpenAI API key string).
- Description: Add context to remember what this key is for (e.g., "Production API key").
- Key name: An identifier for your secret (e.g.,
- Save
- Click Save. The secret is now encrypted and stored.
Use in an Agent
Once stored, you can reference the secret in your agent configuration using the special placeholder format:
${your_key_name}
The platform will automatically resolve this placeholder to the actual key value at runtime.
Where to use:
-
Agent Console: In Tool Config fields.
api_key: ${tavily_api_key} -
YAML Configurations: When adding keys in YAML, the placeholder can be used directly, as shown in the examples.
api_key: ${tavily_api_key}
Revoke a Secret
You can revoke a key at any time.
- Navigate to your Key Vault.
- Locate the key you want to revoke.
- In the key’s row, click on the Delete icon.
- Confirm the action in the dialog.
Only the user who created the key can delete it.
Once a key is revoked, it is permanently deleted. You will no longer be able to access or recover it from any location.
📚 Example: Using a Secret in a Tool Configuration
Use Case: Authenticating a tool or Knowledge Repository Connector.
tools:
tool_assigned:
- name: Zapier_Trigger
config:
# Reference the Zap ID
zap_id: "${MY_ZAP_ID}"
- name: Google_Search
config:
api_token: "${SERP_API_TOKEN}"
🚑 Troubleshooting
-
Secret not working / "Authentication Failed"
- Ensure the Key Name in your YAML matches exactly what is in Keyvault.
- Check for typos in
${key_name}. - If using YAML, ensure you used double quotes:
"${key_name}".
-
Can I see my secret value again?
- No. The value is visible only once, at the time of creation. After saving, even the creator cannot view it again.
-
Who can revoke my keys?
- Only the user who created the key can revoke/delete it.