Skip to main content
The superserve secrets commands manage encrypted environment variables for your agents. Secrets are injected into the agent’s runtime environment and never appear in logs or LLM context.

Set Secrets

Set one or more secrets for an agent: 
superserve secrets set my-agent ANTHROPIC_API_KEY=sk-ant-... OPENAI_API_KEY=sk-...

Single Secret

superserve secrets set my-agent ANTHROPIC_API_KEY=sk-ant-api03-xyz123...

Multiple Secrets

superserve secrets set my-agent \
  ANTHROPIC_API_KEY=sk-ant-... \
  OPENAI_API_KEY=sk-... \
  DATABASE_URL=postgres://...

Example Output

✓ Set 1 secret(s) for agent 'my-agent'
Current secrets: ANTHROPIC_API_KEY

Try your agent in Playground: https://playground.superserve.ai/agents/agt_abc123def456/

List Secrets

List secret keys configured for an agent: 
superserve secrets list my-agent

Example Output

Secrets for agent 'my-agent':

Key
ANTHROPIC_API_KEY
OPENAI_API_KEY
DATABASE_URL
For security, the CLI only shows secret keys, never values. Values are encrypted and cannot be retrieved.

No Secrets

If no secrets are configured: 
No secrets configured for agent 'my-agent'
Set secrets with:

  superserve secrets set my-agent KEY=VALUE

Delete Secret

Delete a specific secret from an agent: 
superserve secrets delete my-agent ANTHROPIC_API_KEY
The CLI prompts for confirmation: 
Delete secret 'ANTHROPIC_API_KEY' from agent 'my-agent'? (y/N)
Type y to confirm.

Skip Confirmation

superserve secrets delete my-agent ANTHROPIC_API_KEY --yes

Example Output

✓ Deleted secret 'ANTHROPIC_API_KEY' from agent 'my-agent'
Remaining secrets: OPENAI_API_KEY, DATABASE_URL

Command Reference

superserve secrets set

Set one or more secrets for an agent.
agent
string
required
Agent name or ID (e.g., my-agent or agt_abc123def456)
key-values
string[]
required
One or more KEY=VALUE pairs separated by spaces

superserve secrets list

List secret keys for an agent.
agent
string
required
Agent name or ID (e.g., my-agent or agt_abc123def456)

superserve secrets delete

Delete a secret from an agent.
agent
string
required
Agent name or ID (e.g., my-agent or agt_abc123def456)
key
string
required
Secret key to delete (e.g., ANTHROPIC_API_KEY)
-y, --yes
flag
default:"false"
Skip confirmation prompt

Required Secrets

You can specify required secrets in superserve.yaml: 
name: my-agent
command: python agent.py

secrets:
  - ANTHROPIC_API_KEY
  - DATABASE_URL
When you deploy, the CLI reminds you to set these: 
Set your secrets before running:

  superserve secrets set my-agent ANTHROPIC_API_KEY=...
If you try to run the agent without required secrets: 
✗ Missing required secret(s): ANTHROPIC_API_KEY

Set them with:

  superserve secrets set my-agent ANTHROPIC_API_KEY=...

Secret Format

Secrets must follow the KEY=VALUE format: ✅ Valid: 
superserve secrets set my-agent API_KEY=sk-123
superserve secrets set my-agent DATABASE_URL="postgres://user:pass@host/db"
superserve secrets set my-agent "COMPLEX_KEY=value with spaces"
❌ Invalid: 
superserve secrets set my-agent API_KEY  # Missing value
superserve secrets set my-agent =sk-123   # Missing key

Values with Spaces or Special Characters

Quote the entire KEY=VALUE pair: 
superserve secrets set my-agent "SECRET=value with spaces"

How Secrets Work

Secrets are:
  1. Encrypted at rest - Stored with AES-256 encryption
  2. Injected at runtime - Available as environment variables to your agent
  3. Never logged - Don’t appear in logs, traces, or LLM context
  4. Network proxied - Can be auto-injected into HTTP requests (with credential proxy)

Accessing Secrets in Code

import os

api_key = os.environ["ANTHROPIC_API_KEY"]

Examples

Set Multiple Secrets from .env File

If you have a .env file: 
# .env
ANTHROPIC_API_KEY=sk-ant-...
OPENAI_API_KEY=sk-...
DATABASE_URL=postgres://...
Convert it to command arguments: 
superserve secrets set my-agent $(cat .env | grep -v '^#' | xargs)

Update a Secret

To change a secret value, set it again: 
superserve secrets set my-agent ANTHROPIC_API_KEY=sk-new-key-...
This overwrites the previous value.

Verify Secrets are Set

superserve secrets list my-agent | grep ANTHROPIC_API_KEY
If the key is listed, it’s set.

Delete All Secrets

for key in $(superserve secrets list my-agent --json | jq -r '.[]'); do
  superserve secrets delete my-agent $key --yes
done
This is destructive. Use with caution.

Security Best Practices

  • Never commit secrets - Don’t add API keys to version control
  • Use different keys per environment - Separate keys for dev/staging/prod agents
  • Rotate regularly - Update API keys every 90 days
  • Use minimal permissions - Grant agents only the API access they need
  • Monitor usage - Check API provider dashboards for unexpected activity

Credential Proxy

Superserve can automatically inject secrets into HTTP requests without exposing them to the agent: 
name: my-agent
command: python agent.py

secrets:
  - ANTHROPIC_API_KEY

credential_proxy:
  - pattern: "api.anthropic.com"
    header: "x-api-key"
    secret: ANTHROPIC_API_KEY
Now when your agent makes requests to api.anthropic.com, the proxy injects the x-api-key header automatically. The agent never sees the API key - it doesn’t appear in:
  • LLM context
  • Tool outputs
  • Logs
  • Network traces visible to the agent
See Credential Proxy for details.

Troubleshooting

”Invalid format ‘KEY’. Use KEY=VALUE”

Ensure you use the = separator: 
superserve secrets set my-agent KEY=VALUE
Not: 
superserve secrets set my-agent KEY VALUE  # Wrong

“Agent not found”

Verify the agent exists: 
superserve agents list

Values with = Characters

If your secret value contains = (e.g., Base64), quote it: 
superserve secrets set my-agent "TOKEN=abc==xyz=="

CI/CD Integration

Set secrets in your CI pipeline: 
- name: Set secrets
  run: |
    superserve secrets set my-agent \
      ANTHROPIC_API_KEY=${{ secrets.ANTHROPIC_API_KEY }} \
      DATABASE_URL=${{ secrets.DATABASE_URL }}
Store secrets in your CI platform’s secret manager, not in the pipeline YAML.

Build docs developers (and LLMs) love

Get started for freeTalk to us