Skip to main content
Agents run code in a secure, isolated Code Sandbox. Agent Secrets let you inject encrypted credentials into the sandbox as environment variables, so your agent can authenticate with external services (APIs, databases, etc.) without ever exposing the raw values.
The Code Sandbox is natively enabled on all agents. See Code Sandbox for full details on what it can do.

Adding a Secret to Your Agent

Follow these three steps to give your agent secure access to an API key or credential.
1

Open Settings and add a secret

Navigate to your agent and click the Settings tab. Scroll down to the Secrets section, expand it, and click + Secret.
Agent Settings page showing the Secrets section expanded with No secrets configured and an arrow pointing to the + Secret button
Select from your personal secrets, or create a new one directly from the picker.
2

Confirm the secret is configured

Once added, the secret appears by name in the Secrets section. Your agent now has access to it at runtime.
Agent Settings Secrets section showing Pylon API Key configured
You can add multiple secrets by clicking + Secret again, or remove one via the three-dot menu.
3

Prompt the agent to use the secret

In the agent chat, ask it to perform a task that requires the credential. The agent accesses the secret as an environment variable (e.g. os.environ["PYLON_API_KEY"]) and uses it in code, but it can never read or expose the actual value.
Agent chat showing it has access to PYLON_API_KEY and using it to query the Pylon API for tickets created today
If you share an agent that uses personal secrets, other users will be prompted to provide their own values. Your secrets are never exposed.

Two Types of Secrets

Personal Secrets

Private to you. No other user can access them. Managed from your personal secrets settings.

Team Secrets

Shared across all team members. Available when an agent is in a team space.

Team Secrets

For agents in a team space, you can use shared secrets that all team members can access.
1

Move agent to a team space

Move your agent into a team (or create it there).
2

Add a team secret

In agent Settings > Secrets, click + Secret. The dropdown shows both Personal Secrets and Team Secrets.
3

Select a team secret

Pick from the Team Secrets section. All team members will share this value.
Secret picker showing Personal Secrets and Team Secrets sections with Pylon API Key under Team Secrets

Runtime Resolution

Secrets resolve based on the running user, not the agent owner:
  • Personal secret configured — other users are prompted to provide their own value
  • Team secret configured — all team members share the same value
When a user encounters a secret they haven’t configured, the chat prompts them to configure it:
Chat showing Configure secrets prompt with PYLON_API_KEY needed, a dropdown to select from Personal Secrets or add new, and buttons for Skip, Save for me, and Save to agent
Options:
  • Skip — proceed without the secret
  • Save for me — map a personal secret for this user only
  • Save to agent — update the agent’s default binding
Users can also manage their active secrets during a conversation using the Secrets button in the chat composer:
Chat composer Secrets popover showing Your secrets with Pylon API Key mapped to PYLON_API_KEY

Comparison

Personal SecretsTeam Secrets
VisibilityOnly youAll team members
Where managedPersonal settingsTeam settings
Use casePrivate API keys, personal tokensShared service accounts, org-wide keys
Agent locationPersonal or team spaceTeam space only
ResolutionPer-user (each provides their own)Shared (one value for all)

FAQ

No. Secrets are injected as environment variables at runtime. The agent can reference them by name (os.environ["MY_KEY"]) but never sees the actual value. Values are encrypted and never shown to the agent.
Yes. An agent in a team space can use both. Personal bindings overlay the agent’s defaults at runtime.
Yes. Secrets are bound to the agent configuration. They are available every time the agent runs code.
Go to gumloop.com/settings/profile/secrets and add one. It will then appear in the secret picker when configuring agents.

See Also

Agents

Building and configuring agents, including the Code Sandbox.

Teams

Team spaces and shared resources.