Skip to main content
Subdirectory: credentials/ · Body: must be empty Credentials carry no body — everything is in frontmatter. Secret values are never exported by pull. When you sync, supply the value from your environment via the ${ENV_VAR} placeholder so secrets stay out of git.

Frontmatter

FieldTypeRequiredDefaultDescription
orgstring | nullNotenantOrganization name. Omit (or null) for tenant-scoped credentials available to every org.
namestringYesIdentifier referenced by agents (in credential_config[].credential).
typeSECRET | VAULT_PATHYesSECRET stores the encrypted value in 2501; VAULT_PATH references an external vault path.
valuestringWhen type=SECRETThe secret itself. Use ${ENV_VAR} so the value is supplied at sync time and never lands in git.
vault_pathstringWhen type=VAULT_PATHThe path in your external vault (e.g. secret/prod/db-password).
descriptionstring | nullNonullOperator-facing note about what this credential is for.
is_agent_accessiblebooleanNotrueWhether agents may use this credential during tasks. Disable for credentials only the platform uses.

Fields NOT supported

  • id, tenant_id, created_at, updated_at — system-set
  • The actual decrypted value on pull — intentionally never exported

Example: a SECRET credential

credentials/web-admin-password.mdx
---
org: platform-team
name: web-admin-password
type: SECRET
value: ${WEB_ADMIN_PASSWORD}
description: Sudo password for the web tier
---
At sync time, ${WEB_ADMIN_PASSWORD} is resolved from your shell or CI secret store.

Example: a VAULT_PATH credential

credentials/prod-db-password.mdx
---
org: platform-team
name: prod-db-password
type: VAULT_PATH
vault_path: secret/data/prod/db
description: Prod DB password — pulled at task time from HashiCorp Vault
---

Gotchas

  • pull is a one-way export of metadata only. Re-running pull will not fill in value — it stays out of git by design.
  • SECRET requires value at sync time. If ${WEB_ADMIN_PASSWORD} is unset in the environment, sync rejects the credential. Pre-existing credentials with a value already on the platform are not overwritten by an empty placeholder — sync skips the field rather than wiping it.
  • Body must be empty. Putting anything in the MDX body fails validation. The value goes in frontmatter only.
  • Tenant scoping matters for provider keys. A credential referenced by a Provider’s API Key Var Name must be tenant-scoped (org unset or null).