Secrets

Manage workspace-scoped secrets without committing sensitive values to version control.

Overview

ElasticClaw stores secrets on ElasticClaw Server per workspace. Create them with the CLI, then reference them by name from elasticclaw-config.yamlor workflow YAML when an agent needs an environment variable.

Never commit real secret values to version control. Commit only the secret names referenced by your workspace and workflow YAML.

Create secrets

bash

elasticclaw secret create openai_api_key --workspace my-app --value "$OPENAI_API_KEY"
printf '%s' "$SLACK_BOT_TOKEN" | elasticclaw secret create slack_bot_token --workspace my-app
elasticclaw secret list --workspace my-app
elasticclaw secret rm slack_bot_token --workspace my-app

Secret values are sent to ElasticClaw Server. secret list returns names only, never values.

Use secrets in workspaces

Use env in elasticclaw-config.yaml to inject a workspace secret into every agent created from that workspace:

yaml

# elasticclaw-config.yaml
env:
  NODE_ENV: production
  OPENAI_API_KEY:
    secret: openai_api_key
  MY_CUSTOM_KEY:
    secret: my_custom_key

Use secrets in workflows

Use secret_refs in workflow YAML for secrets needed only by that workflow:

yaml

# workflow.yaml
name: deploy-preview

secret_refs:
  SLACK_TOKEN: slack_bot_token
  DEPLOY_TOKEN: deploy_token

Configure Linear, Shortcut, and GitHub Issues tokens and webhook signing secrets in workspace issue tracker settings, not in workflow YAML.

Referencing secrets in MCP servers

MCP servers reference secrets configured with the MCP server in settings. The key is the environment variable name and the value is the secret name.

yaml

mcp_servers:
  - name: github
    source: npx
    package: "@modelcontextprotocol/server-github"
    secrets:
      GITHUB_TOKEN: github_token

API endpoints

GET /api/workspaces/<workspace>/secrets — List secret names only

PUT /api/workspaces/<workspace>/secrets — Create or update a secret

DELETE /api/workspaces/<workspace>/secrets?name=<name> — Delete a secret