Secrets & Credentials

Overview

RunTools secrets store API keys, provider credentials, and custom values for tools, agents, and workflows. Secrets live on the tools service:

https://tools.runtools.ai/v1/secrets

Secrets are user-private by default. Org-shared secrets are admin-controlled and can be used by the organization.

Create Or Rotate

runtools secret set ANTHROPIC_API_KEY "sk-ant-xxx" --category provider

runtools secret set GITHUB_TOKEN "ghp_xxx" \
  --category tool \
  --description "GitHub fallback token"

runtools secret set SHARED_CRM_KEY "crm_xxx" \
  --category tool \
  --org-wide

echo "new-secret-value" | runtools secret rotate ANTHROPIC_API_KEY

List Metadata

List responses never include secret values.

runtools secret list
runtools secret list --user-only
runtools secret list --org-only
runtools secret list --all-org

Reveal When Allowed

runtools secret get ANTHROPIC_API_KEY --reveal
runtools secret get SHARED_CRM_KEY --org-wide --reveal

const revealed = await rt.secrets.get('ANTHROPIC_API_KEY', {
  reveal: true,
});

Reveal policy is enforced by the API. User-private values can only be revealed by their owner; org-shared values require org policy/admin access where applicable.

Delete

runtools secret delete ANTHROPIC_API_KEY
runtools secret delete SHARED_CRM_KEY --org-wide

await rt.secrets.delete('ANTHROPIC_API_KEY');
await rt.secrets.delete('SHARED_CRM_KEY', { orgWide: true });

Tool Credential Overrides

Use credentialOverrides to keep actual secret values server-side during tool execution:

await rt.tools.execute('custom-crm', {
  action: 'lookup_customer',
  params: { email: 'person@example.com' },
  credentialOverrides: {
    apiKey: 'SHARED_CRM_KEY',
  },
});

API Reference

Method	Path	Description
`GET`	`/v1/secrets`	List metadata
`POST`	`/v1/secrets`	Create or rotate a secret
`GET`	`/v1/secrets/{name}`	Get metadata
`POST`	`/v1/secrets/{name}/reveal`	Reveal when policy allows
`DELETE`	`/v1/secrets/{name}`	Delete a secret

Query options include category, secretScope=user|org, all=true, orgWide=true, and admin-targeted user_id.

Best Practices

Prefer connected apps for OAuth providers

GitHub, Google, Slack, and similar providers are better handled through OAuth when the tool supports it.

Use org-shared secrets intentionally

Use --org-wide only for credentials meant to be shared by the organization.

Keep names stable

Rotate by updating the value behind a stable name, such as ANTHROPIC_API_KEY.

Avoid logging revealed values

Treat revealed values as sensitive and avoid printing them in CI logs.

Getting Started

Platform

Core Features

Advanced

Secrets & Credentials

Overview

Create Or Rotate

List Metadata

Reveal When Allowed

Delete

Tool Credential Overrides

API Reference

Best Practices

Getting Started

Platform

Core Features

Advanced

Documentation Index

​Overview

​Create Or Rotate

​List Metadata

​Reveal When Allowed

​Delete

​Tool Credential Overrides

​API Reference

​Best Practices

Overview

Create Or Rotate

List Metadata

Reveal When Allowed

Delete

Tool Credential Overrides

API Reference

Best Practices