Secret Management System
What Are Secrets?
Secrets are secrets (API keys, tokens, passwords) that Maestro needs to interact with external services like:- Cloud providers (AWS, Azure, GCP)
- APIs (GitHub, GitLab, OpenAI)
- Databases (PostgreSQL, MySQL, MongoDB)
- Third-party services (Stripe, SendGrid, etc.)
Security Model
User-controlled activation:- You register secrets once
- Per-session activation via
/secretscommand - Maestro cannot access without your explicit consent
- Session-scoped exposure only
- Secrets never logged
- Never shared across sessions
- Automatic cleanup on session end
- Encrypted at rest
Managing Secrets
Secret Manager (UI)
Access: Bottom-left menu → “Manage Secrets” Functions:- Register new secrets
- Edit existing secrets
- Delete secrets
- View usage history
- Configure OAuth integrations
Registering Secrets
Manual registration:- Open Secret Manager
- Click “Add Secret”
- Enter details:
- Name (e.g.,
AWS_ACCESS_KEY_ID) - Value (the actual secret)
- Optional: Description, tags
- Name (e.g.,
- Save (encrypted immediately)
- Select OAuth provider (GitHub, GitLab, etc.)
- Authorize via OAuth flow
- Secrets stored automatically
- Includes refresh token handling
Activating Secrets
Via/secrets command:
Using Activated Secrets
In sandbox terminals:- Secrets available to all sandbox commands
- Automatic injection into environment
- Tools can use them transparently
Deactivating Secrets
When done with sensitive secrets:Supported Integrations
Cloud Providers
AWS
Secrets needed:AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_REGION(optional, defaults to us-east-1)
Azure
Secrets needed:AZURE_SUBSCRIPTION_IDAZURE_TENANT_IDAZURE_CLIENT_IDAZURE_CLIENT_SECRET
Google Cloud Platform
Secrets needed:GOOGLE_APPLICATION_CREDENTIALS(path to service account JSON)
Version Control
GitHub
OAuth integration (recommended):- Link account via Secret Manager
- Automatic token refresh
- Access private repositories
- Create/update PRs
- Clone private repositories
- Create and update PRs
- Add review comments
- Manage issues
- Trigger workflows
GitLab
OAuth integration:- Similar to GitHub
- Private repository access
- API operations
Databases
PostgreSQL
MySQL
MongoDB
API Services
OpenAI, Anthropic, etc.
Stripe
SendGrid, Mailgun
OAuth Integration
Supported Providers
- GitHub
- GitLab
- Microsoft
- Custom OAuth 2.0 providers
OAuth Flow
One-time setup:- Secret Manager → Add OAuth Integration
- Select provider
- Authorize Maestro
- Secrets stored with refresh token
- Tokens refreshed automatically
- No manual intervention
- Always valid when activated
- OAuth scopes shown during authorization
- Cannot exceed granted scopes
- Re-authorize to change scopes
OAuth vs Personal Access Tokens
OAuth advantages:- Automatic token refresh
- Granular scope control
- Revocable via provider
- Better security
- Simple setup
- Works in automation
- No browser required
Security Best Practices
Secret Hygiene
DO:- Use descriptive names (AWS_PROD, AWS_DEV)
- Rotate secrets regularly
- Use least-privilege scopes
- Deactivate after use
- Review active secrets regularly
- Commit secrets to files
- Share secrets across teams
- Use overly permissive tokens
- Leave secrets activated indefinitely
Scope Minimization
Principle: Grant only necessary permissions. Example:Separation of Environments
Separate secrets per environment:Audit and Monitoring
Track credential usage:- Secret Manager shows last used timestamp
- Review which sessions used secrets
- Detect unusual usage patterns
Troubleshooting
Secret Not Working
Check:- Is credential registered in Secret Manager?
- Did you activate for this session (
/secrets)? - Is credential value correct?
- Are scopes sufficient?
- Is credential expired?
OAuth Token Expired
Symptoms:- API calls fail with 401
- “Token expired” errors
- Secret Manager → Refresh OAuth token
- Or re-authorize via OAuth flow
Permission Denied
Cause: Insufficient OAuth scopes or IAM permissions Solution:- For OAuth: Re-authorize with broader scopes
- For cloud IAM: Grant additional permissions in cloud console
- For PATs: Generate new token with required scopes
Secret Accidentally Committed
If credential leaked to file:Integration Patterns
AWS Deployment Example
Database Migration Example
Third-Party API Integration
Advanced OAuth Patterns
Multiple GitHub Accounts
OAuth Secret Sharing
Within organization:- Service accounts for shared resources
- Team-wide OAuth applications
- Centralized credential management
Next Steps
Secure integration mastered:- Troubleshooting: Common issues and solutions
- FAQ: Frequently asked questions
- Best Practices: Production-ready patterns
- Billing: Understanding costs and plans

