Configuring Secrets
How to securely configure API keys and credentials for modules
Configuring Secrets
Many modules need API keys or credentials to connect to external services. Odel provides a secure way to store and manage these secrets.
Security First
Your secrets are encrypted at rest using AES-GCM-256 encryption. They are only decrypted when a module runs and are never exposed to the frontend or logged.
What Are Module Secrets?
Module secrets are sensitive credentials that modules need to function. Common examples include:
- API Keys — Access tokens for services like OpenAI, GitHub, or Stripe
- OAuth Tokens — Authorization credentials for third-party accounts
- Database Credentials — Connection strings or passwords
- Webhook URLs — Private endpoints for integrations
Each module declares which secrets it requires. You'll see these listed on the module's detail page under Required Secrets.
Configuring Secrets During Installation
When you install a module that requires secrets:
Review Required Secrets
The installation dialog shows all required secrets with descriptions explaining what each one is used for.
Enter Your Credentials
Fill in each required field with your credentials. Make sure to use the correct format (some APIs require prefixes like sk- or ghp_).
Complete Installation
Click Install to save your secrets and complete the installation. Your secrets are encrypted before being stored.
Updating Secrets
You can update your secrets at any time from the module's config page:
Navigate to Config
Go to the module's detail page and click the Config tab.
Click Edit Secrets
Click the Edit Secrets button to open the secrets dialog.
Update Values
Enter new values for any secrets you want to change.
Partial Updates
Leave a field empty to keep its current value. Only the secrets you fill in will be updated.
Save Changes
Click Save to apply your changes. Updates take effect immediately for future module calls.
Security Details
Encryption at Rest
All secrets are encrypted using AES-GCM-256 before being stored in our database:
- 256-bit encryption — Industry-standard symmetric encryption
- Unique IV per encryption — Each secret uses a random initialization vector
- Authenticated encryption — GCM mode detects any tampering attempts
Decryption on Demand
Secrets are only decrypted when needed:
- You call a module tool through an MCP client
- Odel's proxy decrypts the required secrets
- Secrets are passed to the module in memory
- After the call completes, decrypted values are discarded
Secrets are never:
- Stored in plaintext
- Exposed to the frontend
- Logged or recorded
- Shared between modules
Access Control
- Only you can view or modify your secrets
- Module developers never see your secret values
- Odel staff cannot access your decrypted secrets
Best Practices
Recommended
Follow these practices to keep your secrets secure.
Use Dedicated API Keys
Create separate API keys specifically for Odel modules when possible. This allows you to:
- Revoke access without affecting other applications
- Monitor usage separately
- Apply specific rate limits or permissions
Rotate Keys Regularly
Periodically update your API keys, especially for sensitive services. Odel makes this easy—just update the secret and the new key takes effect immediately.
Use Minimum Required Permissions
When creating API keys, grant only the permissions the module actually needs. Check the module's documentation for required scopes.
Monitor Usage
Keep an eye on your API usage through each service's dashboard. Unusual activity might indicate a compromised key.