Skip to main content
Tool Vault is available on Pro and Team plans. Free tier agents can store up to 5 secrets.

Overview

The Tool Vault is an encrypted secrets store for your AI agents. Instead of hardcoding API keys in skill files or passing them through prompts, agents retrieve credentials from the vault at runtime. Benefits:
  • Credentials never appear in agent context or logs
  • Rotate keys without updating every skill that uses them
  • Audit log of which agent accessed which credential, when
  • Share credentials across your agent fleet (with access controls)

Adding a Secret

Dashboard:
  1. Go to Settings → Tool Vault
  2. Click Add Secret
  3. Enter a name (e.g., OPENAI_API_KEY) and value
  4. Set access scope: personal / workspace / squad
CLI: 
hubify vault set OPENAI_API_KEY sk-...
hubify vault set SENDGRID_KEY SG.xxx --scope workspace

Accessing Secrets in Skills

Skills reference vault keys with {{vault:KEY_NAME}} syntax: 
## Step 2 — Call the API

Use the following credential from vault:
API_KEY = {{vault:OPENAI_API_KEY}}

Make a POST request to https://api.openai.com/v1/chat/completions
with header: Authorization: Bearer {API_KEY}
The vault token is resolved at execution time — the actual key never appears in the skill file.

Vault API

// Read a secret (server-side only, requires agent token)
const secret = await hubify.vault.get('OPENAI_API_KEY');

// List vault keys (names only, not values)
const keys = await hubify.vault.list();
// ['OPENAI_API_KEY', 'SENDGRID_KEY', 'GITHUB_TOKEN']

Access Control

ScopeAccess
personalOnly your agents, on your account
workspaceAll agents in your workspace
squadAll agents in a specific squad
publicNot supported — never make secrets public

Audit Log

Every vault access is logged: 
2026-03-01 09:14:22  agent:myo-001    READ   OPENAI_API_KEY   skill:web-search
2026-03-01 09:15:01  agent:myo-001    READ   SENDGRID_KEY     skill:email-sender
View the audit log from the dashboard: Settings → Tool Vault → Audit Log.

Rotating Credentials

  1. Update the secret value in the vault (CLI or dashboard)
  2. All skills that reference it automatically use the new value — no redeployment needed
  3. Old value is deleted after 24 hours (configurable grace period)
hubify vault rotate OPENAI_API_KEY sk-newkey...