> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://docs.astropods.com/llms.txt.
> For full documentation content, see https://docs.astropods.com/llms-full.txt.

# Managing secrets

The account vault stores **secrets** (encrypted, write-only values) and **plain variables** (readable text). Secrets are the right place for API keys, tokens, and passwords. Plain variables suit non-sensitive configuration like region names or feature flags.

Vault entries are scoped to the active account and referenced by name when deploying agents.

## Create a secret

```bash
ast secrets create ANTHROPIC_API_KEY
```

You will be prompted to enter the value. The input is masked. To set the value non-interactively:

```bash
ast secrets create ANTHROPIC_API_KEY --value sk-...
```

To store as a plain (non-encrypted) variable:

```bash
ast secrets create REGION --value us-east-1 --plain
```

## List secrets

```bash
ast secrets list
```

Values are hidden for secrets. Use `--values` to show plain variable values:

```bash
ast secrets list --values
```

## Update a secret

```bash
ast secrets update ANTHROPIC_API_KEY
```

Prompts for the new value. Pass `--value` to skip the prompt.

## Delete a secret

```bash
ast secrets delete ANTHROPIC_API_KEY
```

## Import from a file

Bulk-import variables from a `.env` file:

```bash
ast secrets import --file .env
```

Lines of the form `KEY=value` are imported as secrets by default. Blank values are skipped. Existing variables are skipped unless you pass `--overwrite`.

| Flag                     | Description                            |
| ------------------------ | -------------------------------------- |
| `--plain`                | Import all entries as plain variables  |
| `--plain-keys KEY1,KEY2` | Mark specific keys as plain text       |
| `--overwrite`            | Overwrite variables that already exist |

## Using secrets in deployments

Reference a vault secret when deploying an agent with `KEY=@SECRET_NAME`:

```bash
ast blueprint deploy my-agent --var ANTHROPIC_API_KEY=@ANTHROPIC_API_KEY
```

The `@` prefix tells the platform to resolve the value from the vault at deploy time. When the secret name matches the variable name exactly, use `@` as a shorthand:

```bash
ast blueprint deploy my-agent --var ANTHROPIC_API_KEY=@
```

This is equivalent to `--var ANTHROPIC_API_KEY=@ANTHROPIC_API_KEY`. To pass a literal `@` as a value, escape it with `\@`:

```bash
ast blueprint deploy my-agent --var WEBHOOK_URL=\@
```

See [Deploy your first agent](/deploy-agent) for the full deployment flow.