ViberglassViberglassDocs
← Back to site

Secrets

Secrets pass API keys, tokens, and other credentials into worker containers at job time. Manage them from Platform → Secrets.

Adding a secret

Click Add Secret. The form asks for:

  • Name — uppercase with underscores, just like an environment variable. The same name is what you tick when attaching the secret to a clanker, task template, or integration credential.
  • Value — the actual secret. For new secrets, type the value once. For rotation, see below.
  • Storage location — SSM, database (encrypted), or env. SSM is the default in production.

When you save, Viberglass writes the value to the chosen store and registers the metadata in the platform database. The actual secret value is never displayed afterwards — only the reference path.

Using a secret

A secret on its own does nothing. To use it, attach it to one of:

  • A clanker. Open Clankers, edit the clanker, and tick the secret in the Secrets group. When the clanker runs, the secret is injected as an environment variable.
  • A task template. Open the template in the project's Claws page and tick the secret in the Credentials list. The secret is added to the worker on top of the clanker's own secrets.
  • An integration credential. Open the integration's detail page (Platform → Integrations → pick one) and create a credential that points at the secret. SCM integrations use this for git authentication.

A clanker run that needs three secrets — for example ANTHROPIC_API_KEY, GITHUB_TOKEN, and MINIMAX_API_KEY — picks them up from any of the above sources and merges them into the worker's environment.

Rotation

To rotate a secret:

  1. Open Secrets.
  2. Click the secret name (or its edit icon).
  3. Type the new value into the value field.
  4. Save.

Workers started after the rotation pick up the new value immediately because they re-read the parameter store on each run. Workers already running keep the old value until they finish.

For SSM-backed secrets you can also rotate the parameter directly through the AWS console; the platform will read the latest version on the next run.

Deleting a secret

Deleting a secret removes it from the store. Any clankers that referenced it will fail on their next run, so make sure nothing active depends on it before deleting.

Security model

  • Secrets in SSM are encrypted at rest with AWS KMS.
  • Secrets in the database are encrypted with AES-256 using SECRETS_ENCRYPTION_KEY.
  • Secret values are never logged, never returned in API responses, and never displayed in the UI after creation.
  • The reference path (/viberator/secrets/...) is safe to share; only IAM-permitted services can fetch the underlying value.

For the deeper view — including SSM parameter naming conventions and KMS key configuration — see the admin guide on Secrets Management.

Next
Integrations