> ## Documentation Index
> Fetch the complete documentation index at: https://docs.amika.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage secrets

> Store API keys, OAuth credentials, and agent secrets in the Amika vault.

Amika has two kinds of secrets:

* **Generic secrets** — arbitrary `KEY=VALUE` pairs you can reference from
  `.amika/config.toml` or inject as sandbox env vars.
* **Provider secrets** — Claude Code / Codex credentials that get
  auto-injected into sandboxes so the agent runs without re-authenticating.

This guide covers both.

## Prerequisites

<Note>
  * The CLI logged in (`amika auth login`), or an Amika API key for the SDK.
  * For Claude / Codex pushes: the relevant credentials available on your local
    machine (config files, keychain, or in your environment).
</Note>

## Push a generic secret

Generic secrets are scoped to your user (`user`) or your org (`org`).

<CodeGroup>
  ```bash CLI theme={null}
  # Inline KEY=VALUE
  amika secret push DATABASE_URL=postgres://...

  # From specific env vars on your shell
  amika secret push --from-env DATABASE_URL,REDIS_URL

  # From a .env file
  amika secret push --from-file .env

  # Org-scoped (visible to your whole org)
  amika secret push API_KEY=sk-... --scope org
  ```

  ```ts TypeScript theme={null}
  await amika.createSecret({
    name: "DATABASE_URL",
    value: "postgres://...",
    scope: "user", // or "org"
  });
  ```
</CodeGroup>

<Warning>
  The server does **not** expose a `deleteSecret` endpoint for generic
  secrets. You can create, list, and update them, but you can't delete one
  once it's been pushed. Provider secrets (Claude / Codex) **can** be
  deleted.
</Warning>

## Push a Claude credential

Pushed Claude credentials are auto-injected into new sandboxes — no
in-sandbox login required.

<CodeGroup>
  ```bash CLI theme={null}
  # Auto-detect and push an OAuth credential (preferred)
  amika secret claude push --type oauth

  # Push an API key
  amika secret claude push --type api_key

  # From a specific credentials file
  amika secret claude push --from-file ~/.claude/.credentials.json

  # Or pass the value inline
  amika secret claude push --type api_key --value sk-ant-...
  ```

  ```ts TypeScript theme={null}
  const claudeSecret = await amika.createProviderSecret("claude", {
    name: "personal-oauth",
    value: '{"claudeAiOauth":{...}}',
    type: "oauth", // or "api_key"
  });
  ```
</CodeGroup>

## Push a Codex credential

Same shape as Claude — only the provider segment changes.

<CodeGroup>
  ```bash CLI theme={null}
  amika secret codex push --type oauth

  # API key
  amika secret codex push --type api_key --value sk-...
  ```

  ```ts TypeScript theme={null}
  await amika.createProviderSecret("codex", {
    name: "personal-codex",
    value: "sk-...",
    type: "api_key",
  });
  ```
</CodeGroup>

## Extract local credentials (CLI only)

The CLI ships an extractor that scans your filesystem for Claude, Codex,
OpenCode, and Amp credentials and either prints them or pushes them
straight to the vault.

```bash theme={null}
# Print what was discovered
amika secret extract

# Push everything that was discovered, after confirmation
amika secret extract --push

# Push only specific keys
amika secret extract --push --only ANTHROPIC_API_KEY,OPENAI_API_KEY

# Skip OAuth sources
amika secret extract --no-oauth
```

See [Reference — Secrets](/reference/secrets) for the full source-priority
table.

## List and delete

<CodeGroup>
  ```bash CLI theme={null}
  # Generic secrets — list only (no delete in CLI today)
  # Use the web UI to inspect generic secrets.

  # Provider secrets
  amika secret claude list
  amika secret claude delete <id>

  amika secret codex list
  amika secret codex delete <id>
  ```

  ```ts TypeScript theme={null}
  // Generic secrets
  const all = await amika.listSecrets();
  await amika.updateSecret(all[0].id, { value: "new-value" });
  // No deleteSecret — see warning above.

  // Provider secrets
  const claudeSecrets = await amika.listProviderSecrets("claude");
  await amika.deleteProviderSecret("claude", claudeSecrets[0].id);
  ```
</CodeGroup>

## Next steps

<CardGroup>
  <Card title="Inject credentials into a sandbox" href="/guides/inject-credentials" icon="syringe" />

  <Card title="Secrets reference" href="/reference/secrets" icon="book" />

  <Card title="Repository configuration" href="/reference/repository-configuration" icon="folder-tree" />
</CardGroup>
