> ## Documentation Index
> Fetch the complete documentation index at: https://docs.argentos.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Secret Management

> Secure storage and distribution of API keys, tokens, and credentials.

## Overview

ArgentOS handles sensitive credentials -- API keys, auth tokens, and service passwords. Proper secret management ensures these never leak to logs, version control, or unauthorized parties.

## Where Secrets Live

| Secret         | Location                                           | Permissions            |
| -------------- | -------------------------------------------------- | ---------------------- |
| Auth profiles  | `~/.argentos/agents/main/agent/auth-profiles.json` | `600` (user-only)      |
| Gateway token  | `~/.argentos/argent.json`                          | `600` (user-only)      |
| Channel tokens | `~/.argentos/argent.json`                          | `600` (user-only)      |
| ElevenLabs key | Dashboard settings                                 | Stored in dashboard.db |

## Local Storage

All secrets are stored locally on disk. ArgentOS never transmits your credentials to any service other than the intended API provider.

### File Permissions

Sensitive files should be readable only by the owning user:

```bash theme={null}
chmod 600 ~/.argentos/argent.json
chmod 600 ~/.argentos/agents/main/agent/auth-profiles.json
```

<Tip>
  The installer sets these permissions by default, but verify them if you edit files manually.
</Tip>

## Environment Variables

Secrets can also be provided via environment variables as a fallback:

```bash theme={null}
export ANTHROPIC_API_KEY="sk-ant-api03-..."
export ELEVENLABS_API_KEY="..."
```

Environment variables are checked after auth profiles. They are useful for CI/CD environments or Docker deployments.

## Enterprise Secret Sync

<Info>
  Enterprise features require an ArgentOS Enterprise license. See [Enterprise](/licensing/enterprise).
</Info>

For organizations managing multiple ArgentOS instances, the secret sync system distributes API keys from a central authority:

<Steps>
  <Step title="Configure keys centrally">
    Organization admin configures keys in the licensing portal
  </Step>

  <Step title="Instances fetch keys">
    Each ArgentOS instance fetches its assigned keys on activation
  </Step>

  <Step title="Rotation handled centrally">
    Key rotation is handled centrally
  </Step>
</Steps>

```mermaid theme={null}
graph TD
    LS[Licensing Server] --> OK[Organization API Keys]
    LS --> IR[Instance requests keys<br/>authenticated by license]
    IR --> LP[Keys written to local<br/>auth-profiles.json]
```

## Secrets in Logs

ArgentOS redacts sensitive values from logs:

* API keys are shown as `sk-ant-***...***`
* Auth tokens are never logged
* Gateway auth tokens are never included in error messages

## Secret Rotation

### Manual Rotation

<Steps>
  <Step title="Generate new credentials from the provider" />

  <Step title="Update auth-profiles.json or argent.json" />

  <Step title="Restart the gateway">
    ```bash theme={null}
    argent gateway restart
    ```
  </Step>
</Steps>

### Automated Rotation

Enterprise customers can configure automatic key rotation through the licensing portal.

## Best Practices

1. **Never commit secrets** to Git (add config files to `.gitignore`)
2. **Use auth profiles** instead of environment variables when possible
3. **Set strict file permissions** (`chmod 600`)
4. **Rotate keys** on a regular schedule
5. **Use separate keys** for development and production
6. **Monitor provider dashboards** for unusual usage
