Managing secrets

The account vault stores secrets (encrypted, write-only values) and plain variables (readable text). Secrets are the right place for API keys, tokens, and passwords. Plain variables suit non-sensitive configuration like region names or feature flags.

Vault entries are scoped to the active account and referenced by name when deploying agents.

Create a secret

$
ast secrets create ANTHROPIC_API_KEY

You will be prompted to enter the value. The input is masked. To set the value non-interactively:

$
ast secrets create ANTHROPIC_API_KEY --value sk-...

To store as a plain (non-encrypted) variable:

$
ast secrets create REGION --value us-east-1 --plain

List secrets

$
ast secrets list

Values are hidden for secrets. Use --values to show plain variable values:

$
ast secrets list --values

Update a secret

$
ast secrets update ANTHROPIC_API_KEY

Prompts for the new value. Pass --value to skip the prompt.

Delete a secret

$
ast secrets delete ANTHROPIC_API_KEY

Import from a file

Bulk-import variables from a .env file:

$
ast secrets import --file .env

Lines of the form KEY=value are imported as secrets by default. Blank values are skipped. Existing variables are skipped unless you pass --overwrite.

Using secrets in deployments

Reference a vault secret when deploying an agent with KEY=@SECRET_NAME:

$
ast blueprint deploy my-agent --var ANTHROPIC_API_KEY=@ANTHROPIC_API_KEY

The @ prefix tells the platform to resolve the value from the vault at deploy time. When the secret name matches the variable name exactly, use @ as a shorthand:

$
ast blueprint deploy my-agent --var ANTHROPIC_API_KEY=@

This is equivalent to --var ANTHROPIC_API_KEY=@ANTHROPIC_API_KEY. To pass a literal @ as a value, escape it with \@:

$
ast blueprint deploy my-agent --var WEBHOOK_URL=\@

See Deploy your first agent for the full deployment flow.