Skip to main content
Anything that would be a bad idea to type into a chat — API keys, OAuth tokens, certs, DB URLs — goes in the Secrets Manager. Cosmos exports them into the Expert VM at boot. They’re encrypted on disk and stripped from logs.
Secrets are how you set environment variables for cloud agents. There is no separate env var feature for cloud-agent VMs — every secret in scope is automatically exported as a shell variable in the VM. Environment-scoped environment variables (set on the Environment itself) are for non-sensitive defaults only (e.g. NODE_ENV=development) and are shared with every user of that environment.

Where to Find It

The Secrets Manager lives in the sidebar under Configuration → Secrets. You can add, edit, delete, and search secrets from there. Values are write-only — once saved, you cannot read them back. Rotating means editing and pasting the new value.

Scopes

When you create a secret, choose its visibility:
ScopeVisibility
PrivateOnly your sessions can read it.
SharedVisible to all members of your organization.
If a secret with the same name exists in both Private and Shared scope, your sessions read the Private one.

Creating a Secret

  1. Go to Configuration → Secrets in the sidebar.
  2. Click + Add Secret.
  3. Fill in:
    • Name — used as the variable name when injected (e.g. OPENAI_API_KEY).
    • Value — the secret value. Pasted in once and never shown again.
    • VisibilityPrivate or Shared.
    • Automatically install in VMs — leave on so the secret is auto-exported as an environment variable in every Expert VM in scope. Turn it off to keep the secret in storage but skip auto-injection.
  4. Click Create Secret.
The new secret appears in the list and is available to sessions on their next VM boot.

Auto-Injection into VMs

By default, every in-scope secret with Automatically install in VMs enabled is exported as a shell variable on VM boot. The exported variable name is the upper-snake-case of the secret name:
Secret nameExported as
openai-api-key$OPENAI_API_KEY
pagerduty.token$PAGERDUTY_TOKEN
db_url$DB_URL
To verify a secret is available, start a new session and prompt: “Check whether $OPENAI_API_KEY is set in this workspace.”

Secrets vs Environment Variables

ConcernSecrets ManagerEnvironment variables on an Environment
API keys, tokens, credentials❌ — values are committed into the environment’s version history
Per-user values✅ (Private)❌ — same value for everyone using the environment
Public defaults (paths, feature flags)Possible
Auto-exported as $FOO in VM shell
Rule of thumb: sensitive or per-user → Secrets Manager; public/shared defaults tied to an environment → environment variables on the Environment.

Limits and Lifecycle

  • Versioning — each secret has an opaque version; saving a new value rotates it.
  • Rotation — there is no built-in scheduler. Rotate by editing the secret and entering the new value.
  • Deletion — deleting a secret removes it from future VM boots; existing running sessions keep the value already exported.