Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.augmentcode.com/llms.txt

Use this file to discover all available pages before exploring further.

Use the Secrets Manager to store sensitive values — API keys, OAuth tokens, certificates, database URLs — and have Cosmos inject them into your Expert VMs at boot. Secrets are encrypted at rest and never logged in plaintext.
Secrets are how you set environment variables for cloud agents. There is no separate env var feature for cloud-agent VMs — every secret in scope is automatically exported as a shell variable in the VM. Environment-scoped environment variables (set on the Environment itself) are for non-sensitive defaults only (e.g. NODE_ENV=development) and are shared with every user of that environment.

Where to Find It

The Secrets Manager lives in the sidebar under Configuration → Secrets. It supports add, edit, delete, and search operations. Values are write-only — once a secret is saved, the value cannot be retrieved again. To rotate a secret, edit it and enter the new value.

Scopes

When you create a secret, choose its visibility:
ScopeVisibility
PersonalOnly your sessions can read it.
SharedVisible to all members of your organization.
If a secret with the same name exists in both Personal and Shared scope, your sessions read the Personal one.

Creating a Secret

  1. Go to Configuration → Secrets in the sidebar.
  2. Click + Add Secret.
  3. Fill in:
    • Name — used as the variable name when injected (e.g. OPENAI_API_KEY).
    • Value — the secret value. Pasted in once and never shown again.
    • VisibilityPersonal or Shared.
    • Automatically install in VMs — leave on so the secret is auto-exported as an environment variable in every Expert VM in scope. Turn it off to keep the secret in storage but skip auto-injection.
  4. Click Create Secret.
The new secret appears in the list and is available to sessions on their next VM boot.

Auto-Injection into VMs

By default, every in-scope secret with Automatically install in VMs enabled is exported as a shell variable on VM boot. The exported variable name is the upper-snake-case of the secret name:
Secret nameExported as
openai-api-key$OPENAI_API_KEY
pagerduty.token$PAGERDUTY_TOKEN
db_url$DB_URL
To verify a secret is available, start a new session and prompt: “Check whether $OPENAI_API_KEY is set in this workspace.”

Secrets vs Environment Variables

ConcernSecrets ManagerEnvironment variables on an Environment
API keys, tokens, credentials❌ — values are committed into the environment’s version history
Per-user values✅ (Personal)❌ — same value for everyone using the environment
Public defaults (paths, feature flags)Possible
Auto-exported as $FOO in VM shell
Rule of thumb: sensitive or per-user → Secrets Manager; public/shared defaults tied to an environment → environment variables on the Environment.

Limits and Lifecycle

  • Versioning — each secret has an opaque version; saving a new value rotates it.
  • Rotation — there is no built-in scheduler. Rotate by editing the secret and entering the new value.
  • Deletion — deleting a secret removes it from future VM boots; existing running sessions keep the value already exported.