Generic secrets are scoped to your user (user) or your org (org).
# Inline KEY=VALUEamika secret push DATABASE_URL=postgres://...# From specific env vars on your shellamika secret push --from-env DATABASE_URL,REDIS_URL# From a .env fileamika secret push --from-file .env# Org-scoped (visible to your whole org)amika secret push API_KEY=sk-... --scope org
The server does not expose a deleteSecret endpoint for generic
secrets. You can create, list, and update them, but you can’t delete one
once it’s been pushed. Provider secrets (Claude / Codex) can be
deleted.
Pushed Claude credentials are auto-injected into new sandboxes — no
in-sandbox login required.
# Auto-detect and push an OAuth credential (preferred)amika secret claude push --type oauth# Push an API keyamika secret claude push --type api_key# From a specific credentials fileamika secret claude push --from-file ~/.claude/.credentials.json# Or pass the value inlineamika secret claude push --type api_key --value sk-ant-...
The CLI ships an extractor that scans your filesystem for Claude, Codex,
OpenCode, and Amp credentials and either prints them or pushes them
straight to the vault.
# Print what was discoveredamika secret extract# Push everything that was discovered, after confirmationamika secret extract --push# Push only specific keysamika secret extract --push --only ANTHROPIC_API_KEY,OPENAI_API_KEY# Skip OAuth sourcesamika secret extract --no-oauth
# Generic secrets — list only (no delete in CLI today)# Use the web UI to inspect generic secrets.# Provider secretsamika secret claude listamika secret claude delete <id>amika secret codex listamika secret codex delete <id>
