Secrets & Credentials Management
Securely store and manage environment secrets in Origin. Learn how to add, reference, and rotate API keys, tokens, and credentials used by your AI agents and project workflows.
The Secrets page is where you manage environment variables and sensitive configuration for your project. Secrets are injected into the sandbox at runtime so agents can execute code that depends on external systems, without exposing credentials in source control, logs, or task output.
Secrets are project-scoped and apply only within the current project. They are stored in HashiCorp Vault with versioning, audit logging, and environment-scoped access. Values are injected at runtime and never stored in code.
Env File Injection
At the top of the page, the Env File Injection section lets you configure one or more repo-local env files for local development parity. Each file can receive all secrets or a selected subset.
Use + Add File to add a file reference, then Save to apply. This keeps your local development environment in sync with the secrets configured in the project without manually copying values.
Environment Variables
The Environment Variables section, marked with a Vault badge, is where individual secrets are created and managed.
When secrets exist, the table shows:
- Name: the environment variable key (for example,
BRIGHTDATA_API_KEY) - Environment: the scope the secret applies to (for example, All Environments)
- Updated: when the secret was last modified
- Actions: edit or delete controls
Secrets marked as sensitive display a lock icon and an orange "Sensitive — cannot be displayed" label in place of the value. Sensitive values require confirmation to reveal and are never shown in plain text by default.
The list can be filtered by environment using the All Environments dropdown and sorted using the Sort by Name control.
Adding a Secret
Click + Add to create a new environment variable. Each secret requires:
- Name: the variable key (for example,
DATABASE_URL) - Value: the secret value
- Environment scope: where it should apply
- Sensitive toggle: if enabled, the value requires confirmation to reveal after saving
Sensitive mode is recommended for API keys, production credentials, and private tokens.
Importing from .env
Click Import to bring in multiple secrets at once from a .env file.
The import modal lets you:
- Set a Target Environment for all imported variables
- Toggle Mark as Sensitive to hide values and require confirmation to reveal
- Review each parsed variable in a Select Variables to Import list, with checkboxes to include or exclude individual entries
- Use Select All, Deselect All, or Clear to manage the selection
The bottom of the modal shows how many variables are selected and which environment they will be imported to. Click Import [N] Secrets to confirm, or Back to return.
Editing and Deleting Secrets
From the secrets table, you can edit a secret to update its value or scope, or delete it entirely. If a secret is deleted, any sandbox execution that depends on it may fail until the variable is reintroduced.
Teams typically revisit this page when rotating credentials, adding new integrations, or changing environment-specific configuration.
Model & AI Configuration
Configure the AI models used in your Origin project. Select and customize the language models that power your agent sessions, task execution, and code generation workflows.
Logging Integrations
Configure logging integrations in Origin to stream agent activity, session outputs, and execution logs to your preferred observability platforms and external monitoring tools.