agentstack secrets

Synopsis

agentstack secrets <subcommand> [options]

Description

The secrets command manages secret values such as API keys and tokens outside the canonical profile.

In the current model, your profile stores references such as MCP env_refs, while the secret values live in the local secrets store.

Subcommands

Subcommand	Description
set <name> <value>	Store a secret value
get <name>	Retrieve a secret value
delete <name>	Remove a secret
list	List stored secret names (never values)

Options

Flag	Type	Default	Description
--backend <backend>	file|darwin-keychain	platform-dependent	Storage backend

Examples

Store secret values

agentstack secrets set GITHUB_TOKEN ghp_xxxxxxxxxxxx
agentstack secrets set OPENAI_API_KEY sk-xxxxxxxxxxxx

List secret names

agentstack secrets list

Read a secret

agentstack secrets get GITHUB_TOKEN

Delete a secret

agentstack secrets delete OLD_API_KEY

Use macOS Keychain backend

agentstack secrets set GITHUB_TOKEN ghp_xxx --backend darwin-keychain

Referencing secrets from the current schema

In the current v3 manifest, MCP entries reference required environment variable names via env_refs:

agentstack.yaml — MCP env refs

profile:
  mcp_servers:
    - id: github
      transport: stdio
      command: npx
      args:
        - -y
        - '@modelcontextprotocol/server-github'
      env_refs:
        - GITHUB_TOKEN
      enabled: true

Notes

Caution

Keep secret values out of agentstack.yaml. The manifest should name required env vars, while the actual values stay in the secrets store on each machine.

Tip

On macOS, --backend darwin-keychain is usually the best default.