Skip to content
Select themeSelect language

Manage secrets in the UI

Secrets in SupaCloud are stored encrypted in the database. Every secret belongs to exactly one scope — personal, workspace, or organization — and the server selects the most-specific winner at runtime so agents always receive the right credential without manual wiring.

The settings area with its tab rail (workspace, credentials, secrets, integrations).The settings area with its tab rail (workspace, credentials, secrets, integrations).
Scope Who sees it Who can write it Typical use
Personal Only you You Your own AI provider key or Git token
Workspace All workspace members Workspace admins A shared API key for a project
Organization All org members (metadata only; value at use-time) Org owners and admins A billing-level key enforced across all workspaces

When an agent resolves a named secret the rule is:

personal → workspace → organization

The most-specific match wins. If a workspace key exists with the same name as an organization key, the workspace key is used — unless the organization key carries the Locked flag, which forces the org value for every member regardless of scope.

This means:

  • A developer can override a shared org key for their own personal use (no lock set).
  • An org admin can pin a billing key so no one can shadow it (lock set).
  1. Go to Settings → API Keys.
  2. Select the AI provider.
  3. Enter an optional label and the key value.
  4. Choose a scope using the scope toggle: Personal, Workspace, or Organization.
    • For Workspace scope you can target all workspaces or a specific one.
    • Organization scope requires you to be an org owner or admin.
  5. Click Save.

Some providers connect with an account instead of a pasted key. In Settings → API Keys, pick the provider and choose Connect to start an OAuth flow:

  • Anthropic, OpenAI and Google open a browser authorization and return an access token (you paste back a short code where prompted).
  • GitHub Copilot uses a device code: SupaCloud shows a short user code and a github.com URL in a dialog. Open the URL, enter the code, and authorize — SupaCloud polls in the background and finishes the connection automatically. The Copilot subscription’s models then become available for a task or an agent profile.

A connected credential shows the identity of the account it is bound to, so you can tell several connections of the same provider apart:

  • For Anthropic the account email (read from the provider’s profile endpoint).
  • For GitHub Copilot / GitHub the GitHub handle.
  • Unavailable when the provider exposes neither — the connection still works; only the label is missing.

Locking forces the org-level value to win regardless of any personal or workspace override.

  1. Go to the relevant tab (API Keys, Git, or Variables).
  2. Find the org-scoped entry in the saved list — it carries the Organization scope badge.
  3. Click Lock. The badge changes to Locked.
  4. To reverse it, click Unlock on the same row.

Secret values are never shown in the list after saving. To retrieve a value you must re-enter it — there is no “reveal” button by design. If you need to rotate a credential, delete the existing entry and add a new one.

Click Delete on the row in the saved list and confirm. Deletion is immediate. Any agent task that resolves the same name at a higher scope will fall back to that value automatically.