Secrets
Secrets are encrypted credentials that tools and integrations use at runtime. They're key-value pairs. You provide the key and value, and Infracodebase encrypts and stores them securely.
Adding secrets
Click Add Secret and provide a key (a name for the secret like AWS_ACCESS_KEY_ID) and a value (the secret value, encrypted immediately).
How they work
Secrets are encrypted at rest using AES-256-GCM with envelope encryption. Each secret gets its own unique encryption key, so compromising one secret does not expose others. All mutations are tracked in a tamper-evident audit log with hash chaining, so you have a verifiable record of every change.
Secret values are never shown in the UI, never exposed in conversations, and never visible to the agent. They are only available to MCP tools and other CLI tools installed inside of the agent's operating environment that need them for authentication at runtime. The agent cannot read or display secret values. Output from tools is also scanned to prevent accidental exposure of sensitive values in conversation.
Enterprise vs. workspace
Enterprise secrets are available to tools in all workspaces. Workspace secrets are scoped to that specific workspace.
If a workspace secret has the same key as an enterprise secret, the workspace secret takes precedence for that workspace. This lets you override enterprise-level credentials when a specific workspace needs different access. For example, you might have a default AWS credential at the enterprise level but override it in a workspace that targets a different account or region.
Common uses
- Cloud provider credentials (AWS, GCP, Azure)
- API tokens for external services
- Private registry authentication
- Database connection strings
Coming soon
We are working on support for bring-your-own-key (BYOK) so that secrets can be encrypted with keys you manage. This means Infracodebase would never store your encryption keys, giving you full control over the cryptographic lifecycle of your credentials.