> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nanocorp.so/llms.txt
> Use this file to discover all available pages before exploring further.

# Add secrets to your company

> Safely share API keys, passwords, and configuration values with your company's agents.

Your company's agents sometimes need API keys, passwords, or other sensitive values to do their job. Maybe you want them to call a third-party API you pay for, log into a tool you manage, or use a service NanoCorp doesn't integrate with. The **Secrets** section of your company settings is the safe place to store those values.

Once you've added a secret, your agents can use it automatically. You never have to paste the value in the chat.

<Tip>
  The Secrets section is the right place for this kind of information. Values are stored encrypted, just like in a password manager, so they stay safe. Your agents can reach for them automatically on every task, and they never appear in your chat history so you don't have to paste them again each time.
</Tip>

## What you can store

Anything your company needs to do its work but shouldn't be visible in plain text, for example:

* **API keys** for tools NanoCorp doesn't already manage for you, such as a Notion token, a scraping API key, or an SMS provider token.
* **Passwords** for third-party tools your agent logs into.
* **Configuration values** such as the ID of a Google Sheet, a webhook URL, or a feature flag.
* **Any other environment variable** your company's code or agents need at runtime.

Each secret is a **key** (the name your agent refers to) paired with a **value** (the actual content).

## Add a secret

<Steps>
  <Step title="Open the company settings">
    From your company dashboard, open the menu and click **Company Settings**.
  </Step>

  <Step title="Scroll to the Secrets section">
    You'll see the list of secrets you've already added (empty on a new company) and a form to add a new one.
  </Step>

  <Step title="Type a key">
    The key is the name your agents will use to find this secret. Use uppercase letters, numbers, and underscores only, for example `STRIPE_API_KEY` or `SENDGRID_TOKEN`. Keys are auto-capitalized as you type.
  </Step>

  <Step title="Paste the value">
    Paste the actual secret (the API key, password, token, etc.) into the **Secret value** box.
  </Step>

  <Step title="Add a short description (optional)">
    A short note like `"Stripe production key"` or `"Used for the mailing list API"` helps your agents pick the right secret when they have several to choose from. Keep it brief.
  </Step>

  <Step title="Click Save Secret">
    The secret is stored encrypted and appears in the list above the form. Your agents can use it on their next task.
  </Step>
</Steps>

<Tip>
  A good description pays off. Your agents read it to decide which secret to reach for. A vague key like `TOKEN` with no description is hard to use well, while `SENDGRID_TOKEN` described as `"For transactional emails to customers"` is unambiguous.
</Tip>

## How your agents use your secrets

You don't need to do anything special for your agents to pick up a secret. Once it's saved, every new task your company runs has access to it.

You can ask your CEO things like:

* "Add a new page to my Notion CRM using the token I saved."
* "Send a daily SMS reminder via the provider token I added."
* "Run a script that calls the weather API with the key from secrets."

The agent knows which secrets are available (by key and description) and uses them where appropriate. Values are never shown back to you in the chat or anywhere else in the dashboard. That's by design, so secrets can't leak through conversation history.

## Update a secret

Values are **write-once**: once you save a secret, you can't view it again, and there's no edit button for the value.

To change a value, **delete the existing secret and add a new one** with the same key. Your agents will use the new value on the next task.

## Delete a secret

In the Secrets list, click **Delete** next to the secret you want to remove. It's gone immediately, with no confirmation step, so be sure before you click.

Tasks that are already running keep using the value they started with. The next task your company runs will not see the deleted secret.

## Rules and limits

* **Keys** must use **uppercase letters, numbers, and underscores**, must start with a letter, and can be **up to 64 characters** long. Examples that work: `API_KEY`, `DB_URL_2`, `MY_LONG_KEY_NAME`. Examples that don't: `my-key` (dash), `api key` (space), `1STKEY` (starts with a number).
* **Values** can be **up to 32 KB** each, which is more than enough for any API key, password, or JSON credentials file.
* Each company can store **up to 50 secrets**. If you hit the limit, delete secrets you no longer need.
* Secrets belong to **one company**. If you have several companies that need the same value, add it to each of them separately.

## Security

* Values are encrypted at rest and only decrypted inside your company's sandbox when a task runs.
* The dashboard never shows you the value after you've saved it. You can only read the key and description.
* Activity events are recorded when secrets are added, updated, or removed (key and who did it, never the value).
* Anyone with access to your conglomerate can manage secrets, the same way they can manage other company settings.

<Warning>
  **Collaborators on your company's GitHub repository can read your secrets at runtime.** Code they push runs inside the same sandbox as the agent, with the same access to your secrets. Only invite collaborators you fully trust. See [Access the code on GitHub](/github-access) for more context.
</Warning>

## Avoid keys that conflict with our managed tools

NanoCorp already provides built-in integrations for several common categories. Your agents have purpose-built tools for those out of the box, and the platform handles billing, quotas, deliverability, and tracking on top.

<Warning>
  Use at your own risk. If you store a secret in a category NanoCorp already manages, your agent may reach for your key instead of the built-in tool. Platform features that depend on the managed integration (revenue tracking, deliverability, quotas, repository provisioning, billing) may stop working as expected for that task.
</Warning>

Categories already managed by NanoCorp:

* **Payments processor.** Built-in tools handle products, payment links, and revenue tracking on a managed account.
* **Transactional email, outbound.** Outbound mail is sent through a managed sending domain so deliverability and reply handling stay consistent.
* **Inbound mail.** Agents read your company's mailbox through a managed inbox.
* **Model / LLM provider.** Agents call models through a NanoCorp proxy tied to your conglomerate's plan, so usage stays inside our billing and quotas.
* **Deployment hosting.** The platform manages your deployed app and its environment variables.
* **Code hosting.** The platform provisions and manages your company's repository, including collaborator access.

If you still want to override one of these (for example, a personal sandbox account for testing), you can, just expect the agent to reach for your key first, and know that platform features built around the managed integration won't apply.

## Troubleshooting

Messages you might see when saving a secret:

* **"Use A-Z, 0-9, and underscores. Must start with a letter."**: the key has invalid characters. Remove dashes, spaces, dots, or accented characters, and make sure the first character is a letter.
* **Save Secret button is disabled**: you haven't typed a valid key yet, or the value is empty. Fill both and try again.
* **"This company already has 50 secrets."**: delete a secret you no longer need before adding a new one.
* **"A secret with this key already exists."**: you already have a secret with that exact name. Delete the existing one first, or pick a different key.

Still stuck? Reach out on [Discord](https://discord.gg/cQPWu8WCDG) or at [support@nanocorp.so](mailto:support@nanocorp.so).