Secrets Management

Store API keys and environment variables securely. Secrets are encrypted at rest and synced automatically to your IDE workspaces.

Adding a Secret

Navigate to Dashboard → Secrets

Unlock the vault (enter passphrase or import vault key from website)

Click Add Variable

Enter the key name (e.g., OPENAI_API_KEY)

Paste the secret value (encrypted on your device before upload)

Optionally add a description

Click Save Variable

Key Naming Convention

Secret keys are automatically formatted to uppercase with underscores for consistency:

When you add a secret with a name like openai-api-key, GRID formats it to uppercase with underscores (e.g. OPENAI_API_KEY) for use in the environment. Name your secrets in the Dashboard; they sync to the IDE and are available to your app at runtime.

Security Features

Feature	Description
Encryption	AES-256 encryption at rest
Masking	Values are masked (e.g. only first and last characters visible)
Reveal	Click eye icon to temporarily show value
Copy	One-click copy to clipboard
Audit Log	All access is logged Enterprise

Using Secrets in IDE

Secrets sync automatically to your GRID IDE. Access them via the built-in environment or through the Secrets panel.

Secrets are available as environment variables when your agent or app runs. Use the variable name (e.g. OPENAI_API_KEY) in your app to read the value. For API calls, include the secret in the Authorization header as a Bearer token.

• Secrets are automatically injected into your workspace environment

• Available in all terminal sessions and processes

• Never exposed in logs or error messages

Zero-knowledge encryption

Secrets and API keys are encrypted on your device with a vault key that only you (and teammates you share it with) have. The server stores only ciphertext and cannot decrypt.

Set a passphrase on the Secrets page; the same passphrase derives the vault key on website and IDE (with org salt).
Or export the vault key from the website and import it in another device or share with a teammate out-of-band.
Existing keys/secrets created before E2EE may need to be re-entered once to move to zero-knowledge.

BYOK (Bring Your Own Key)

Server-side AI features (e.g. suggestions) use only BYOK headers or server-owned env keys. Org-stored keys are for IDE/sync only (zero-knowledge); the server never decrypts them.

• Personal keys are stored locally and never synced

• Organization keys (E2EE) sync to IDE when vault key is set

• Seamless fallback ensures uninterrupted workflow

Docs DashboardSecrets