Skip to main content
Amika has two kinds of secrets:
  • Generic secrets — arbitrary KEY=VALUE pairs you can reference from .amika/config.toml or inject as sandbox env vars.
  • Provider secrets — Claude Code / Codex credentials that get auto-injected into sandboxes so the agent runs without re-authenticating.
This guide covers both.

Prerequisites

  • The CLI logged in (amika auth login), or an Amika API key for the SDK.
  • For Claude / Codex pushes: the relevant credentials available on your local machine (config files, keychain, or in your environment).

Push a generic secret

Generic secrets are scoped to your user (user) or your org (org).
The server does not expose a deleteSecret endpoint for generic secrets. You can create, list, and update them, but you can’t delete one once it’s been pushed. Provider secrets (Claude / Codex) can be deleted.

Push a Claude credential

Pushed Claude credentials are auto-injected into new sandboxes — no in-sandbox login required.

Push a Codex credential

Same shape as Claude — only the provider segment changes.

Extract local credentials (CLI only)

The CLI ships an extractor that scans your filesystem for Claude, Codex, OpenCode, and Amp credentials and either prints them or pushes them straight to the vault.
See Reference — Secrets for the full source-priority table.

List and delete

Next steps

Inject credentials into a sandbox

Secrets reference

Repository configuration