Secrets
Secrets declare credentials required by the agent. Values are set via the CLI and encrypted at rest with AES-256-GCM.
Schema
secrets:
- name: string
description: string
required: boolean
Fields
| Field | Description |
|---|---|
name | Secret identifier. Referenced in secret_headers as ${NAME}. |
description | Human-readable description |
required | If true, agent cannot deploy without this secret set |
Usage
- Declare secrets in the manifest:
secrets:
- name: OPENAI_API_KEY
description: OpenAI API key
required: true
- name: WEBHOOK_SECRET
description: Webhook signing secret
required: false
- Set secret values via CLI:
h0 secret set <agent_id> OPENAI_API_KEY sk-xxx
- Reference in capabilities:
capabilities:
- name: openai-chat
secret_headers:
Authorization: "Bearer ${OPENAI_API_KEY}"
Security
- Secrets are encrypted at rest using AES-256-GCM
- Encryption key is stored in AWS Secrets Manager
- Secret values are never logged or returned via API
- Only secret names are visible in
h0 secret list - Decryption happens at request time in the proxy