Manage encrypted secrets that Paperclip references in its environment configuration. Paperclip-owned secret refs are for infra credentials and app-managed runtime secrets. They are not the same thing as third-party connected-account credentials managed through Composio. Secret refs are a host-owned control-plane resource. They are intended for values Paperclip itself must resolve at runtime, not for user-connected third-party account state.

List Secrets

GET /api/companies/{companyId}/secrets
Returns secret metadata (not decrypted values).

Create Secret

POST /api/companies/{companyId}/secrets
{
  "name": "anthropic-api-key",
  "value": "sk-ant-..."
}
The value is encrypted at rest. Only the secret ID and metadata are returned.

Update Secret

PATCH /api/secrets/{secretId}
{
  "value": "sk-ant-new-value..."
}
Creates a new version of the secret. Agents referencing "version": "latest" automatically get the new value on next heartbeat.

Using Secrets in Agent Config

Reference secrets in agent adapter config instead of inline values: 
{
  "env": {
    "ANTHROPIC_API_KEY": {
      "type": "secret_ref",
      "secretId": "{secretId}",
      "version": "latest"
    }
  }
}
The server resolves and decrypts secret references at runtime, injecting the real value into the agent process environment.

Paperclip vs Composio Secret Boundary

Use Paperclip secret refs for:
  • infrastructure credentials
  • database credentials
  • storage credentials
  • runtime API keys owned by Paperclip
  • board/auth-related server secrets that Paperclip must read directly
Use Composio for:
  • OAuth grants to third-party providers
  • refresh tokens and provider consent state
  • connected-account lifecycle data
  • provider-specific auth metadata for agent/tool integrations
Do not store Composio-managed provider tokens or board-auth secrets in Paperclip secret refs unless the value is truly owned and rotated by Paperclip itself.

Scope Note

  • Board operators can manage secret metadata for companies they can access.
  • Agents may resolve secret refs at runtime if the agent configuration allows it.
  • Secret values are never returned in API responses after creation.