ArgentOSDocs

Secret Management

Secure storage and distribution of API keys, tokens, and credentials.

Overview

ArgentOS handles sensitive credentials -- API keys, auth tokens, and service passwords. Proper secret management ensures these never leak to logs, version control, or unauthorized parties.

Where Secrets Live

SecretLocationPermissions
Auth profiles~/.argentos/agents/main/agent/auth-profiles.json600 (user-only)
Gateway token~/.argentos/argent.json600 (user-only)
Channel tokens~/.argentos/argent.json600 (user-only)
ElevenLabs keyDashboard settingsStored in dashboard.db

Local Storage

All secrets are stored locally on disk. ArgentOS never transmits your credentials to any service other than the intended API provider.

File Permissions

Sensitive files should be readable only by the owning user:

chmod 600 ~/.argentos/argent.json
chmod 600 ~/.argentos/agents/main/agent/auth-profiles.json

The installer sets these permissions by default, but verify them if you edit files manually.

Environment Variables

Secrets can also be provided via environment variables as a fallback:

export ANTHROPIC_API_KEY="sk-ant-api03-..."
export ELEVENLABS_API_KEY="..."

Environment variables are checked after auth profiles. They are useful for CI/CD environments or Docker deployments.

Enterprise Secret Sync

Enterprise features require an ArgentOS Enterprise license. See Enterprise.

For organizations managing multiple ArgentOS instances, the secret sync system distributes API keys from a central authority:

  1. Organization admin configures keys in the licensing portal
  2. Each ArgentOS instance fetches its assigned keys on activation
  3. Key rotation is handled centrally

How It Works

Licensing Server

    ├── Organization API Keys

    └── Instance requests keys (authenticated by license)

            └── Keys written to local auth-profiles.json

Secrets in Logs

ArgentOS redacts sensitive values from logs:

  • API keys are shown as sk-ant-***...***
  • Auth tokens are never logged
  • Gateway auth tokens are never included in error messages

Secret Rotation

Manual Rotation

  1. Generate new credentials from the provider
  2. Update auth-profiles.json or argent.json
  3. Restart the gateway: argent gateway restart

Automated Rotation

Enterprise customers can configure automatic key rotation through the licensing portal.

Best Practices

  1. Never commit secrets to Git (add config files to .gitignore)
  2. Use auth profiles instead of environment variables when possible
  3. Set strict file permissions (chmod 600)
  4. Rotate keys on a regular schedule
  5. Use separate keys for development and production
  6. Monitor provider dashboards for unusual usage

Authentication

API keys, setup tokens, auth profiles, and gateway authentication.

Licensing Overview

How ArgentOS licensing works — plans, features, and activation.

On this page

OverviewWhere Secrets LiveLocal StorageFile PermissionsEnvironment VariablesEnterprise Secret SyncHow It WorksSecrets in LogsSecret RotationManual RotationAutomated RotationBest Practices