Overview
ArgentOS handles sensitive credentials — API keys, auth tokens, and service passwords. Proper secret management ensures these never leak to logs, version control, or unauthorized parties.Where Secrets Live
| Secret | Location | Permissions |
|---|---|---|
| Auth profiles | ~/.argentos/agents/main/agent/auth-profiles.json | 600 (user-only) |
| Gateway token | ~/.argentos/argent.json | 600 (user-only) |
| Channel tokens | ~/.argentos/argent.json | 600 (user-only) |
| ElevenLabs key | Dashboard settings | Stored in dashboard.db |
Local Storage
All secrets are stored locally on disk. ArgentOS never transmits your credentials to any service other than the intended API provider.File Permissions
Sensitive files should be readable only by the owning user:Environment Variables
Secrets can also be provided via environment variables as a fallback:Enterprise Secret Sync
Enterprise features require an ArgentOS Enterprise license. See Enterprise.
Secrets in Logs
ArgentOS redacts sensitive values from logs:- API keys are shown as
sk-ant-***...*** - Auth tokens are never logged
- Gateway auth tokens are never included in error messages
Secret Rotation
Manual Rotation
Automated Rotation
Enterprise customers can configure automatic key rotation through the licensing portal.Best Practices
- Never commit secrets to Git (add config files to
.gitignore) - Use auth profiles instead of environment variables when possible
- Set strict file permissions (
chmod 600) - Rotate keys on a regular schedule
- Use separate keys for development and production
- Monitor provider dashboards for unusual usage