AI makes mistakes! Undisk makes recovery instant: every write is versioned, every file is reversible.
See it heal →

Workspace Secrets (vault_secret)

The vault_secret tool provides a first-class primitive for storing API keys, tokens, PEM files, and other sensitive values — separate from the file namespace. Secrets are encrypted at rest (AES-256-GCM, per-workspace key) and never appear in file listings, search results, browser URLs, diffs, or audit log plaintext.
Web UI for users: workspace owners and members can sign in to the Undisk app and manage secrets on the web at /vault/<workspaceId> — add, rotate, or delete secrets without involving an agent. Plaintext values are never displayed in the UI. Agents continue to read secrets via the vault_secret MCP tool with action: "get" (and reveal: true when the value must enter the model context).

Actions

ActionDescription
putStore or update a secret. Use mode: "create" to fail if exists, or "upsert" (default).
getRetrieve a secret. Returns masked value by default. Set reveal: true and provide purpose for plaintext.
listList all accessible secrets (metadata only, no values).
rotateUpdate the value of an existing secret, incrementing its version.
deletePermanently delete a secret (not soft-delete — old values are irrecoverable).

Example: Store an OpenAI key

vault_secret({
  "action": "put",
  "name": "openai/default_api_key",
  "value": "sk-proj-...",
  "mode": "create",
  "allowedAgentIds": ["agent_research", "agent_builder"],
  "description": "Default OpenAI API key for workspace agents"
})

Example: Retrieve it later

vault_secret({
  "action": "get",
  "name": "openai/default_api_key",
  "reveal": true,
  "purpose": "Call OpenAI API for summarization task"
})

Security properties

  • Encrypted at rest — per-workspace AES-256-GCM key derived from workspace identity
  • Not part of file namespace — never appears in list_files, search_files, or browser_url
  • Plaintext never in audit logs — audit entries record only metadata and SHA-256 fingerprint
  • Access control — optional allowedAgentIds restricts which agents can read the secret
  • Expiration — optional expiresAt (RFC 3339) makes the secret inaccessible after that time
  • Reveal requires purposeget with reveal: true requires a purpose string recorded in the audit trail
  • ⚠️ Reveal exposes plaintext to LLM context — when reveal: true is used, the decrypted secret value is returned in the MCP tool response, which means it enters the agent’s context window. This is by design (agents need the secret to make API calls), but be aware that the value may appear in LLM provider logs depending on your provider’s data retention policy. Use allowedAgentIds to limit which agents can request reveal.
  • No version history — old secret values are overwritten, not retained (unlike files)
  • 64 KiB size cap — designed for keys and tokens, not arbitrary blobs

Parameters

ParameterTypeRequiredNotes
action"put" | "get" | "list" | "rotate" | "delete"yesOperation to perform
namestringexcept listLogical secret name, e.g. openai/default_api_key
valuestringfor put/rotateSecret value
encoding"utf-8" | "base64"noDefault utf-8; use base64 for binary blobs
mode"create" | "upsert"noFor put; default upsert
allowedAgentIdsstring[]noIf omitted, all agents can access
descriptionstringnoHuman-readable note
tagsstring[]noOptional labels
expiresAtstring (RFC 3339)noAuto-expire
revealbooleannoFor get; default false
purposestringwhen reveal=trueRequired audit reason for plaintext retrieval