paperclip/docs/deploy/secrets.md

---
title: Secrets Management
summary: Master key, encryption, and strict mode
---

Paperclip encrypts secrets at rest using a local master key. Agent environment variables that contain sensitive values (API keys, tokens) are stored as encrypted secret references.

## Default Provider: `local_encrypted`

Secrets are encrypted with a local master key stored at:

```
~/.paperclip/instances/default/secrets/master.key
```

This key is auto-created during onboarding. The key never leaves your machine.

## Configuration

### CLI Setup

Onboarding writes default secrets config:

```sh
pnpm paperclipai onboard
```

Update secrets settings:

```sh
pnpm paperclipai configure --section secrets
```

Validate secrets config:

```sh
pnpm paperclipai doctor
```

### Environment Overrides

| Variable | Description |
|----------|-------------|
| `PAPERCLIP_SECRETS_MASTER_KEY` | 32-byte key as base64, hex, or raw string |
| `PAPERCLIP_SECRETS_MASTER_KEY_FILE` | Custom key file path |
| `PAPERCLIP_SECRETS_STRICT_MODE` | Set to `true` to enforce secret refs |

## Strict Mode

When strict mode is enabled, sensitive env keys (matching `*_API_KEY`, `*_TOKEN`, `*_SECRET`) must use secret references instead of inline plain values.

```sh
PAPERCLIP_SECRETS_STRICT_MODE=true
```

Recommended for any deployment beyond local trusted.

## Migrating Inline Secrets

If you have existing agents with inline API keys in their config, migrate them to encrypted secret refs:

```sh
pnpm secrets:migrate-inline-env         # dry run
pnpm secrets:migrate-inline-env --apply # apply migration
```

## Secret References in Agent Config

Agent environment variables use secret references:

```json
{
  "env": {
    "ANTHROPIC_API_KEY": {
      "type": "secret_ref",
      "secretId": "8f884973-c29b-44e4-8ea3-6413437f8081",
      "version": "latest"
    }
  }
}
```

The server resolves and decrypts these at runtime, injecting the real value into the agent process environment.
docs: add external documentation site content Add structured documentation covering quickstart, architecture, core concepts, API reference, adapter guides, CLI commands, deployment options, and operator/developer guides. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-26 16:33:55 -06:00			`---`
			`title: Secrets Management`
			`summary: Master key, encryption, and strict mode`
			`---`

			`Paperclip encrypts secrets at rest using a local master key. Agent environment variables that contain sensitive values (API keys, tokens) are stored as encrypted secret references.`

			## Default Provider: `local_encrypted`

			`Secrets are encrypted with a local master key stored at:`

			```
			`~/.paperclip/instances/default/secrets/master.key`
			```

			`This key is auto-created during onboarding. The key never leaves your machine.`

			`## Configuration`

			`### CLI Setup`

			`Onboarding writes default secrets config:`

			```sh
refactor: rename packages to @paperclipai and CLI binary to paperclipai Rename all workspace packages from @paperclip/* to @paperclipai/* and the CLI binary from `paperclip` to `paperclipai` in preparation for npm publishing. Bump CLI version to 0.1.0 and add package metadata (description, keywords, license, repository, files). Update all imports, documentation, user-facing messages, and tests accordingly. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-03 08:45:26 -06:00			`pnpm paperclipai onboard`
docs: add external documentation site content Add structured documentation covering quickstart, architecture, core concepts, API reference, adapter guides, CLI commands, deployment options, and operator/developer guides. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-26 16:33:55 -06:00			```

			`Update secrets settings:`

			```sh
refactor: rename packages to @paperclipai and CLI binary to paperclipai Rename all workspace packages from @paperclip/* to @paperclipai/* and the CLI binary from `paperclip` to `paperclipai` in preparation for npm publishing. Bump CLI version to 0.1.0 and add package metadata (description, keywords, license, repository, files). Update all imports, documentation, user-facing messages, and tests accordingly. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-03 08:45:26 -06:00			`pnpm paperclipai configure --section secrets`
docs: add external documentation site content Add structured documentation covering quickstart, architecture, core concepts, API reference, adapter guides, CLI commands, deployment options, and operator/developer guides. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-26 16:33:55 -06:00			```

			`Validate secrets config:`

			```sh
refactor: rename packages to @paperclipai and CLI binary to paperclipai Rename all workspace packages from @paperclip/* to @paperclipai/* and the CLI binary from `paperclip` to `paperclipai` in preparation for npm publishing. Bump CLI version to 0.1.0 and add package metadata (description, keywords, license, repository, files). Update all imports, documentation, user-facing messages, and tests accordingly. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-03 08:45:26 -06:00			`pnpm paperclipai doctor`
docs: add external documentation site content Add structured documentation covering quickstart, architecture, core concepts, API reference, adapter guides, CLI commands, deployment options, and operator/developer guides. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-26 16:33:55 -06:00			```

			`### Environment Overrides`

			`\| Variable \| Description \|`
			`\|----------\|-------------\|`
			\| `PAPERCLIP_SECRETS_MASTER_KEY` \| 32-byte key as base64, hex, or raw string \|
			\| `PAPERCLIP_SECRETS_MASTER_KEY_FILE` \| Custom key file path \|
			\| `PAPERCLIP_SECRETS_STRICT_MODE` \| Set to `true` to enforce secret refs \|

			`## Strict Mode`

			When strict mode is enabled, sensitive env keys (matching `_API_KEY`, `_TOKEN`, `*_SECRET`) must use secret references instead of inline plain values.

			```sh
			`PAPERCLIP_SECRETS_STRICT_MODE=true`
			```

			`Recommended for any deployment beyond local trusted.`

			`## Migrating Inline Secrets`

			`If you have existing agents with inline API keys in their config, migrate them to encrypted secret refs:`

			```sh
			`pnpm secrets:migrate-inline-env # dry run`
			`pnpm secrets:migrate-inline-env --apply # apply migration`
			```

			`## Secret References in Agent Config`

			`Agent environment variables use secret references:`

			```json
			`{`
			`"env": {`
			`"ANTHROPIC_API_KEY": {`
			`"type": "secret_ref",`
			`"secretId": "8f884973-c29b-44e4-8ea3-6413437f8081",`
			`"version": "latest"`
			`}`
			`}`
			`}`
			```

			`The server resolves and decrypts these at runtime, injecting the real value into the agent process environment.`