> ## Documentation Index
> Fetch the complete documentation index at: https://help.statisfy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Secret Store

> Securely store and manage API keys, tokens, and credentials for use in Agent Studio automations

# Secret Store

The Secret Store lets you securely save API keys, tokens, passwords, and other credentials that your Agent Studio automations can use. Secrets are encrypted and stored in Google Secret Manager — values are never visible after saving.

## Accessing the Secret Store

1. Navigate to **Settings** from the main menu
2. Select **Secret Store** from the settings sidebar

## Managing Secrets

### Creating a Secret

1. Click **Add Secret**
2. Enter a unique **Key** name (e.g., `OPENAI_API_KEY`, `SLACK_WEBHOOK_TOKEN`)
3. Enter the secret **Value** in the password field
4. Click **Add Secret** to save

<Tip>
  Use descriptive key names that indicate the secret's purpose, such as `SALESFORCE_API_KEY` or `WEBHOOK_AUTH_TOKEN`.
</Tip>

### Updating a Secret

1. Click the **edit** (pencil) icon next to the secret
2. Enter the new value — the previous value is not shown
3. Click **Update Secret**

### Deleting a Secret

1. Click the **delete** (trash) icon next to the secret
2. Confirm the deletion in the dialog

<Warning>
  Deleting a secret is permanent. Any automations using this secret will fail until a replacement is configured.
</Warning>

## Using Secrets in Agent Studio

Secrets from the Secret Store are available in components that support authentication, such as the **API Call V2** component.

### Example: API Call with Bearer Token

1. Create a secret with key `MY_API_TOKEN` and your token as the value
2. In Agent Studio, add an **API Call V2** component
3. Set **Authentication** to **Bearer Token**
4. Click the refresh icon on **Secret Value** to load your secrets
5. Select `MY_API_TOKEN` from the dropdown

The component retrieves the actual token securely at runtime — it's never exposed in the workflow configuration.

### Supported Authentication Types

| Auth Type        | Secret Used As                                          |
| ---------------- | ------------------------------------------------------- |
| **API Key**      | The API key value sent in a header or query parameter   |
| **Bearer Token** | The token in the `Authorization: Bearer <token>` header |
| **Basic Auth**   | The password (username is configured separately)        |

## Security

* Secrets are **encrypted at rest** in Google Secret Manager
* Secret values are **never displayed** in the UI after creation (always shown as `••••••••`)
* Each organization's secrets are **isolated** — no cross-tenant access
* Only **admins** can create, update, or delete secrets
* Secrets are accessed at **runtime only** by the automation engine

## Best Practices

<Accordion title="Use specific, descriptive key names">
  Name secrets after their purpose and service: `SLACK_WEBHOOK_URL`, `SALESFORCE_REFRESH_TOKEN`, `SENDGRID_API_KEY`.
</Accordion>

<Accordion title="Rotate secrets regularly">
  Update secrets periodically, especially after team member changes or suspected exposure.
</Accordion>

<Accordion title="One secret per purpose">
  Avoid reusing the same secret across unrelated integrations. This makes rotation easier and limits blast radius if a secret is compromised.
</Accordion>