AI makes mistakes! Undisk makes recovery instant: every write is versioned, every file is reversible.
See it heal →

What it does

Securely store, retrieve, list, rotate, and delete secrets scoped to a workspace. Secrets are encrypted at rest and never appear in file listings, search results, browser URLs, diffs, or audit log plaintext. Use this instead of write_file for API keys, tokens, PEM files, and other sensitive values.

Parameters

ParameterTypeRequiredDescription
actionstringYesOperation to perform Values: put, get, list, rotate, delete.
namestringNoLogical secret name, e.g. ‘openai/default_api_key’. Required for all actions except ‘list’.
valuestringNoSecret value. Required for ‘put’ and ‘rotate’ actions.
encodingstringNoContent encoding: ‘utf-8’ (default) or ‘base64’ for binary secret blobs. Values: utf-8, base64.
modestringNoFor ‘put’ action: ‘create’ (fail if exists) or ‘upsert’ (default). Values: create, upsert.
allowedAgentIdsstring[]NoAgent IDs allowed to access this secret. If omitted, all agents in the workspace can access it.
descriptionstringNoHuman-readable note about the secret’s purpose.
tagsstring[]NoOptional classification labels.
expiresAtstringNoOptional expiration timestamp (RFC 3339). Secret becomes inaccessible after this time.
revealbooleanNoFor ‘get’ action: if true, return the plaintext secret value. Default false (returns masked value).
purposestringNoRequired when reveal=true. Audit reason for plaintext retrieval.