Secrets Management
Endpoints for managing API keys and credentials used by assistants.
GET /api/assistants/{id}/secrets
List secrets for an assistant.
Authentication: Required (AI seat)
Permission: assistant:write (to view secrets)
Response:
{
"_links": {
"self": { "href": "/api/assistants/{id}/secrets" }
},
"_embedded": {
"inf:assistant-secret": [
{
"id": "secret-123",
"assistantId": "team:sales-assistant",
"name": "HUBSPOT_API_KEY",
"description": "HubSpot CRM API key",
"value": "********",
"createdAt": "2024-01-15T10:00:00Z"
}
]
},
"start": 0,
"count": 1,
"total": 1
}
Secret Values
Secret values are masked in list responses. Only the assistant can access plaintext values during skill execution.
POST /api/assistants/{id}/secrets
Add a secret to an assistant.
Permission: assistant:write
Request Body:
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Secret key name (e.g., API_KEY) |
value | string | Yes | Secret value (will be encrypted) |
description | string | No | Secret description |
Example Request:
{
"name": "SLACK_BOT_TOKEN",
"value": "xoxb-your-token-here",
"description": "Slack bot token for notifications"
}
Response: 201 Created
GET /api/assistants/{id}/secrets/{secretId}
Get a specific secret (value masked).
Response: Secret object
PUT /api/assistants/{id}/secrets/{secretId}
Update a secret.
Permission: assistant:write
Request Body:
| Field | Type | Description |
|---|---|---|
name | string | Update secret name |
value | string | Update secret value |
description | string | Update description |
Response: Updated secret object
DELETE /api/assistants/{id}/secrets/{secretId}
Delete a secret.
Permission: assistant:write
Response: 204 No Content
Security Considerations
Encryption
- Secrets are encrypted at rest using tenant-specific encryption keys
- Secret values are only accessible to the assistant during skill execution
Access Control
- Only users with
assistant:writepermission can manage secrets - Secrets are isolated per assistant
Best Practices
- Use descriptive names (e.g.,
GITHUB_TOKEN,STRIPE_SECRET_KEY) - Rotate secrets periodically
- Delete unused secrets
- Never hardcode secrets in instructions or skill configurations