Managed Secrets

Managed secrets let you store sensitive values (API keys, tokens, passwords) in the Wrapd dashboard. They are encrypted at rest and automatically injected into your agent as environment variables when it connects.

How it works

You create a secret in the dashboard (e.g. GITHUB_TOKEN)
When your agent connects, it receives your secrets securely
The agent injects them as environment variables into every command it runs
Your commands can access them like any other env var ($GITHUB_TOKEN)

Creating secrets

Go to Dashboard → Secrets and add a secret with a name and value. Names are automatically uppercased and must be UPPER_SNAKE_CASE.

Using secrets in wrapd.yaml

As environment variables

Since managed secrets are injected as env vars, your commands can use them directly:

endpoints:
  - name: deploy
    method: POST
    command: ./deploy.sh
    # deploy.sh can access $GITHUB_TOKEN, $DEPLOY_KEY, etc.

For webhook HMAC verification

Use the $wrapd: prefix to reference a managed secret for webhook signature verification:

endpoints:
  - name: on-push
    method: POST
    trigger: webhook
    command: ./handle-push.sh
    secret: $wrapd:GITHUB_WEBHOOK_SECRET

The $wrapd: prefix tells the agent to look up the value from managed secrets instead of local environment variables. This is useful when you don’t want to store the secret on the machine running the agent.

Secret reference formats

Format	Source	Example
`$wrapd:NAME`	Managed secret (dashboard)	`$wrapd:GITHUB_WEBHOOK_SECRET`
`$ENV_VAR`	Local environment variable	`$MY_LOCAL_SECRET`
`literal`	Literal string value	`mysecretvalue`

Limits

Plan	Secret limit
Free	0
Pro	10
Team	50

Security

Secrets are encrypted at rest
They are transmitted over an encrypted connection
The agent holds them in memory only — they are never written to disk
Secrets are re-injected each time the agent reconnects