Skip to main content
Your agent needs API keys to talk to LLMs, access external services, and do useful work. Secrets are how you give your agent those keys securely - they’re encrypted, never logged, and available to your agent as environment variables.
You can’t view secret values after saving them. Make sure you have your credentials stored somewhere safe before adding them here.
Image

Connect Your LLM Provider

This is the first thing you’ll do. Your agent needs at least one LLM provider connected to work. Go to agents.pinata.cloud/secrets. At the top you’ll see cards for supported providers:
  • Anthropic - Claude models (API key or Claude subscription)
  • OpenAI - GPT models (API key or Codex subscription)
  • OpenRouter - Access multiple providers through one API
  • Venice - Privacy-focused AI
Click Connect on whichever you use, paste your API key, and save. That’s the minimum you need to run an agent. Connected providers show a green “Connected” status on their card.
Anthropic and OpenAI also support subscription-based access (Claude and Codex subscriptions). These connect via OAuth instead of an API key.

Add Other Secrets

For any other API key, token, or credential your agent needs:
  1. Click New Secret (use the dropdown to choose between secret and variable)
  2. Enter a name (this becomes the environment variable, like TELEGRAM_BOT_TOKEN)
  3. Enter the value
  4. Save
Your agent can now access this as process.env.TELEGRAM_BOT_TOKEN (or the equivalent in Python).

Variables vs Secrets

Secrets are encrypted - use them for API keys, tokens, passwords. Variables are not encrypted - use them for non-sensitive config like feature flags or URLs. Select Variable from the New Secret dropdown if you don’t need encryption.

Importing from .env

Already have a .env file? Click Import .env file to add everything at once.

Give Your Agent Access

Secrets live in your vault, but you need to explicitly attach them to each agent that should use them. When creating an agent: You’ll add secrets in Step 3 (Connect). For existing agents: Open the agent → Secrets → click + ADD to attach from your vault. On the agent’s Secrets tab you’ll see your connected AI providers at the top (showing whether you’re using an API key or a subscription like Claude or Codex), followed by any other variables and secrets you’ve attached.
If you add or update a secret on a running agent, you’ll need to restart it for the change to take effect.

Updating and Removing

Click the menu on any secret to update or delete it. A few things to know:
  • You can’t delete a secret that’s still attached to an agent - detach it first
  • Updated secrets require an agent restart - each secret on the Danger page shows a “Synced” status so you can tell whether the running agent has picked up the latest value
  • There’s no way to view the current value (that’s the point)
  • Your Secrets Vault shows which agents each secret is attached to, so you can see at a glance where credentials are in use

Using the CLI

pinata agents secrets list                  # See your secrets
pinata agents secrets add <name> <value>    # Add one
pinata agents secrets delete <name>         # Remove one

How Secrets Are Protected

  • Encrypted at rest with AES-GCM
  • Unique key derived per user
  • Values never returned by the API
  • Injected as environment variables at runtime, never written to disk