Skip to main content
User secrets are credentials owned by the authenticated user. They are useful for personal OAuth tokens, API keys, and credentials that the user can grant to a service account for proxy use.

CLI

Use --subject me or omit --subject:
bash
meshagent secret list --subject me
meshagent secret search --subject me --query github
meshagent secret create github-token --type opaque --value "$GITHUB_TOKEN"
meshagent secret versions secret-123 --subject me
meshagent secret add-version secret-123 --subject me --value "$ROTATED_TOKEN"
Direct retrieval of an http_only secret is denied. Use HTTP Secret Proxy or MCP Secret Proxy for proxy-only credentials.

Proxy Grants

A user can grant a service account proxy access to one of their secrets:
bash
meshagent secret grant-proxy secret-123 \
  --project-id "$MESHAGENT_PROJECT_ID" \
  --subject agent@service.example.meshagent.dev
The grant allows proxy use only. It does not allow direct secret retrieval.

OAuth Scopes

User-secret APIs require the appropriate secret OAuth scopes, such as secrets:read, secrets:write, secrets:delete, or secrets:grant.