> ## Documentation Index
> Fetch the complete documentation index at: https://docs.amika.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets

> Scope model, generic vs provider secrets, and the secret command surface.

Amika stores two kinds of secrets in the vault. This page is the reference;
for a walkthrough see [Manage secrets](/guides/manage-secrets).

## Generic vs provider secrets

|         | Generic secrets                                                | Provider secrets                                            |
| ------- | -------------------------------------------------------------- | ----------------------------------------------------------- |
| What    | Arbitrary `KEY=VALUE` pairs                                    | Claude / Codex credentials                                  |
| Used by | `.amika/config.toml` `{ secret = "name" }`, `--secret env:...` | Auto-injected agent credentials                             |
| Create  | `amika secret push`, `createSecret`                            | `amika secret claude\|codex push`, `createProviderSecret`   |
| List    | `amika secret` (web UI), `listSecrets`                         | `amika secret claude\|codex list`, `listProviderSecrets`    |
| Update  | `updateSecret(id, { value })`                                  | re-push                                                     |
| Delete  | **Not supported** (see below)                                  | `amika secret claude\|codex delete`, `deleteProviderSecret` |

<Warning>
  There is no delete endpoint for generic secrets. They can be created,
  listed, and updated, but not removed once pushed. Provider secrets
  (Claude / Codex) **can** be deleted.
</Warning>

## Scope model

Generic secrets and extracted secrets carry a scope:

| Scope            | Visibility                      |
| ---------------- | ------------------------------- |
| `user` (default) | Private to you                  |
| `org`            | Visible to everyone in your org |

```bash theme={null}
amika secret push API_KEY=sk-... --scope org
```

## `amika secret push`

Push generic secrets from inline arguments, environment variables, or a
`.env` file.

```bash theme={null}
amika secret push ANTHROPIC_API_KEY=sk-ant-xxx
amika secret push --from-env ANTHROPIC_API_KEY,OPENAI_API_KEY
amika secret push --from-file .env
```

| Flag                 | Default | Description                                    |
| -------------------- | ------- | ---------------------------------------------- |
| `--from-env <keys>`  |         | Comma-separated env var names to read and push |
| `--from-file <path>` |         | Path to a `.env` file with `KEY=VALUE` lines   |
| `--scope <scope>`    | `user`  | `user` (private) or `org` (org-visible)        |

When multiple sources are used, positional arguments override `--from-file`
values, and `--from-env` overrides both.

## `amika secret extract`

Discover locally stored credentials and optionally push them to the vault.
Shares its discovery logic with [`amika auth extract`](/reference/auth#local-credential-discovery).

```bash theme={null}
amika secret extract
amika secret extract --push
amika secret extract --push --only ANTHROPIC_API_KEY,OPENAI_API_KEY
```

| Flag               | Default | Description                                |
| ------------------ | ------- | ------------------------------------------ |
| `--push`           | `false` | Push discovered secrets after confirmation |
| `--only <keys>`    |         | Comma-separated names to include           |
| `--scope <scope>`  | `user`  | `user` or `org`                            |
| `--homedir <path>` |         | Override home directory for discovery      |
| `--no-oauth`       | `false` | Skip OAuth credential sources              |

## `amika secret claude` / `amika secret codex`

Manage provider credentials. Both share the same shape; only the provider
segment differs.

### `push`

```bash theme={null}
# Auto-detect OAuth (preferred)
amika secret claude push --type oauth

# API key
amika secret claude push --type api_key --value sk-ant-xxx

# From a file
amika secret codex push --from-file ~/.codex/auth.json
```

| Flag                 | Default | Description                                  |
| -------------------- | ------- | -------------------------------------------- |
| `--name <label>`     |         | Human-readable label (prompted if omitted)   |
| `--value <string>`   |         | Credential value (skips discovery)           |
| `--from-file <path>` |         | Path to a credentials file (skips discovery) |
| `--type <type>`      | `oauth` | `oauth` or `api_key`                         |

`--value` and `--from-file` are mutually exclusive.

### `list` / `delete`

```bash theme={null}
amika secret claude list           # columns: ID, NAME, TYPE
amika secret claude delete <id>

amika secret codex list
amika secret codex delete <id>
```

## SDK equivalents

```ts theme={null}
// Generic
await amika.createSecret({ name, value, scope });
await amika.listSecrets();
await amika.updateSecret(id, { value });

// Provider ("claude" or "codex")
await amika.createProviderSecret("claude", { name, value, type: "oauth" });
await amika.listProviderSecrets("claude");
await amika.deleteProviderSecret("claude", id);
```

See the [client reference](/sdks/typescript/client#secrets) for full
signatures.

## Related docs

* [Manage secrets](/guides/manage-secrets) — task walkthrough
* [Inject credentials](/guides/inject-credentials) — wire secrets into sandboxes
* [Authentication](/reference/auth) — login and credential discovery
* [config.toml](/reference/config-toml) — `{ secret = "name" }` references
