← All terms More

define secret --plain-english

Illustration for "Secret" from the Non-Technical Technical Dictionary

Secret

TLDR:Some of the strings of characters your software uses are harmless name-tags.

Some of the strings of characters your software uses are harmless name-tags. One of them is a master key. The entire game is never letting the master key out of the box.

A secret is any string that proves you're allowed to do something powerful. API keys, passwords, access tokens, database logins. Hand one over and whoever holds it can act as you, spend as you, and reach what's yours.

The distinction that keeps you safe is name-tag versus master key.

  • Your username, your account ID, your email address: those are name-tags. They say who you are. They're fine to show. People need them to find you.
  • Your API key, your password, your access token: those are master keys. They don't announce who you are, they prove you're allowed, and they open doors. Those live in the safe.

Mixing the two up is the classic mistake. People will carefully hide their username and then paste their API key straight into a screenshot.

The rules are short, and they're the whole point of the day:

  1. A secret never goes in your code. This is exactly why the locked drawer exists, the hidden file your secrets live in. Your code points at the secret. It never contains it.

  2. A secret never goes in a chat, a screenshot, a support ticket, or a public repo. The instant it's seen, treat it as burned. (Remember the bots that do nothing but scan public code for leaked keys? This is what they're hunting.)

  3. If a secret leaks, you don't apologize, you rotate it. Rotating means cancel the old key and generate a fresh one. The leaked string turns into a dead end the moment you do. Fast and boring beats slow and sorry.

  4. Give a secret the least power it needs. That one's big enough to be its own idea, and it's next.

For the AI angle: agents hold secrets so they can do their jobs, your keys, so they can order off the windows for you. That's normal and necessary. What matters is that the agent keeps them in the safe, never echoes one back into a chat, and never pastes one somewhere public. When you set a tool up, the secret goes in the hidden drawer, and you confirm it never prints to the screen.

A name-tag says who you are and can be shown. A secret proves you're allowed and never leaves the safe. If one ever gets out, kill it and make a new one.