A secret is a per-project value (an API key, token, or connection string) that the agent needs but that must not live in the repo. Secrets are encrypted at rest and provided to each session as environment variables.

Set values in the Secrets Manager (dashboard) or with kortix secrets set. Names are uppercase (OPENAI_API_KEY); the KORTIX_* prefix is reserved for the platform.
Optionally declare names in kortix.toml under [env] (required / optional). This only documents what a project expects and flags missing ones in the UI — it is advisory, not enforced: a session still starts if a required secret is unset.
Shared or personal — a secret can be shared with the project or set as your own private override; you control who a shared secret is usable by.
Rotation takes effect on the next session. Running sessions keep the values they booted with.

Under the hood

Values are encrypted with AES-256-GCM under a per-project key derived from the platform master key (HKDF-SHA256), stored in project_secrets, and injected as plain env vars at session provision — resolved as the launching user (personal override wins, then a usable shared value). Connector credentials are a separate scope, resolved server-side by the Executor and never injected. Details: Secrets reference.