> ## Documentation Index
> Fetch the complete documentation index at: https://docs.meshagent.com/llms.txt
> Use this file to discover all available pages before exploring further.

# User Secrets

> Manage credentials owned by the authenticated user.

User secrets are credentials owned by the authenticated user. They are useful for personal OAuth tokens, API keys, and credentials that the user can grant to a service account for proxy use.

## CLI

Use `--subject me` or omit `--subject`:

```bash bash theme={null}
meshagent secret list --subject me
meshagent secret search --subject me --query github
meshagent secret create github-token --type opaque --value "$GITHUB_TOKEN"
meshagent secret versions secret-123 --subject me
meshagent secret add-version secret-123 --subject me --value "$ROTATED_TOKEN"
```

Direct retrieval of an `http_only` secret is denied. Use [HTTP Secret Proxy](./http_proxy) or [MCP Secret Proxy](./mcp_proxy) for proxy-only credentials.

## Proxy Grants

A user can grant a service account proxy access to one of their secrets:

```bash bash theme={null}
meshagent secret grant-proxy secret-123 \
  --project-id "$MESHAGENT_PROJECT_ID" \
  --subject agent@service.example.meshagent.dev
```

The grant allows proxy use only. It does not allow direct secret retrieval.

## OAuth Scopes

User-secret APIs require the appropriate secret OAuth scopes, such as `secrets:read`, `secrets:write`, `secrets:delete`, or `secrets:grant`.
