Documentation / @agentick/secrets
@agentick/secrets ​
Platform-native secret storage for Agentick agents. Stores credentials in the OS keychain on macOS and Linux, with env var fallback everywhere else.
Install ​
pnpm add @agentick/secretsQuick Start ​
import { createSecretStore } from "@agentick/secrets";
const secrets = await createSecretStore();
await secrets.set("telegram.token", "bot123:ABC-xyz");
const token = await secrets.get("telegram.token");createSecretStore() auto-detects the best backend for the current platform.
How It Works ​
createSecretStore()
|
v
Platform detection
|
+-- macOS ------> Keychain (security CLI)
+-- Linux ------> libsecret (secret-tool CLI)
+-- Fallback ---> Environment variablesAll keychain operations use execFile with argument arrays — no shell interpolation, no injection risk.
Backends ​
Keychain (macOS) ​
Stores secrets in the macOS Keychain via the security CLI. Secrets are encrypted at rest, protected by the login keychain, and accessible to Keychain Access.app.
import { createKeychainStore } from "@agentick/secrets";
const secrets = createKeychainStore({ service: "my-agent" });The service parameter scopes secrets (default: "agentick"). A manifest key tracks all stored keys for list().
libsecret (Linux) ​
Stores secrets via secret-tool, the CLI for GNOME Keyring / KWallet. Requires libsecret and a running secret service.
import { createLibsecretStore } from "@agentick/secrets";
const secrets = createLibsecretStore({ service: "my-agent" });list() uses secret-tool search natively — no manifest needed.
Environment Variables ​
Reads from process.env. Dot-path keys are normalized to UPPER_SNAKE_CASE.
import { createEnvStore } from "@agentick/secrets";
const secrets = createEnvStore({ prefix: "MYAGENT" });
// secrets.get("telegram.token") → process.env.MYAGENT_TELEGRAM_TOKENWithout a prefix, keys map directly: telegram.token → TELEGRAM_TOKEN.
Memory ​
In-memory Map. For testing.
import { createMemoryStore } from "@agentick/secrets";
const secrets = createMemoryStore({ "api.key": "test-value" });Explicit Backend Selection ​
Override auto-detection when needed.
const secrets = await createSecretStore({ backend: "env", envPrefix: "MYAPP" });
const secrets = await createSecretStore({ backend: "keychain", service: "my-agent" });
const secrets = await createSecretStore({ backend: "memory" });Use with Connectors ​
Pass a secret store to connectors instead of hardcoding tokens.
import { createSecretStore } from "@agentick/secrets";
import { TelegramPlatform } from "@agentick/connector-telegram";
const secrets = await createSecretStore();
const token = await secrets.get("telegram.token");
const platform = new TelegramPlatform({ token: token! });SecretStore Interface ​
Defined in @agentick/shared so any package can accept it as a dependency.
interface SecretStore {
get(key: string): Promise<string | null>;
set(key: string, value: string): Promise<void>;
delete(key: string): Promise<boolean>;
has(key: string): Promise<boolean>;
list(): Promise<string[]>;
readonly backend: string;
}Exports ​
// Factory (auto-detects backend)
export { createSecretStore } from "./create-secret-store.js";
export type { CreateSecretStoreOptions, SecretStoreBackend } from "./create-secret-store.js";
// Backends
export { createKeychainStore } from "./keychain-store.js";
export { createLibsecretStore } from "./libsecret-store.js";
export { createEnvStore } from "./env-store.js";
export { createMemoryStore } from "./memory-store.js";
export type { KeychainStoreOptions } from "./keychain-store.js";
export type { LibsecretStoreOptions } from "./libsecret-store.js";
export type { EnvStoreOptions } from "./env-store.js";
// Interface (re-exported from @agentick/shared)
export type { SecretStore } from "@agentick/shared";