Credentials & Secrets

OSC provides three credential mechanisms. Which one to use depends on what is being protected and who needs to access it.

Mechanism Use for Scope
Service Secret Credentials for a catalog service instance (CouchDB password, S3 key, etc.) One service instance
Parameter Store Environment variables for My Apps and Agent Tasks, including encrypted credentials One workspace
OSC Access Token Letting a service or agent act on your behalf within OSC Workspace-wide

Service Secrets

A Service Secret is bound to a single service instance. You enter the value once — after that it is never readable again, including through the API and AI chat. When you configure an instance parameter to use a secret, you store a reference ({{secrets.name}}) rather than the raw value.

This makes it safe to inspect running instances over AI chat or MCP: describe-service-instance returns the reference string, never the underlying value.

Creating a Service Secret

On the service page, click the Service Secret tab, then New Secret. Enter a name and the secret value, then click Create Secret. The value is stored as a Kubernetes Secret and cannot be retrieved after creation.

Referencing a secret in instance parameters

Enter {{secrets.name}} in the parameter field, or click the key button to pick from the list of secrets for that service.

When an AI agent creates an instance via MCP, sensitive parameters are automatically vaulted as Service Secrets — the raw value never appears in the tool call or conversation history.

Limitation: The reference must be the entire field value. Embedding it inside a larger string — for example redis://:{{secrets.password}}@host — is not supported. Store the full connection string as a secret instead.

Parameter Store

My Apps and Agent Tasks receive their configuration as environment variables injected at startup from a Parameter Store — a managed key-value store. Variables can be plaintext or encrypted.

Use plaintext for non-sensitive configuration (base URLs, feature flags). Use encrypted entries for credentials (API keys, passwords, connection strings).

The encryption key

When you create a parameter store with encrypted secrets enabled, an encryption key is generated. This key is required to decrypt secret values at runtime.

You do not pass this key to a My App or Agent Task directly. When you link a parameter store to a runtime, OSC automatically stores the key as a Service Secret and injects it at startup. The raw key never appears in any parameter field or MCP argument.

Getting the encryption key

Via the web console: The key is shown once in a dialog when the store is ready. Copy it before closing — it will not be shown again. If you lose it, you can regenerate it from the Stores tab, but every My App and Agent Task linked to that store will need to be updated.

Via MCP: The AI agent receives a token-protected download URL for the key. It uses that URL to supply the key when creating a My App or Agent Task. The key never passes through the LLM and never appears in any response.

For full setup instructions see User Guide: Parameter Store.

Git access to private repositories

When a My App or Agent Task pulls from a private repository, OSC needs a personal access token from GitHub, GitLab, or Gitea. Register the token once under a friendly name in My Apps → Git Credentials — from that point you reference it by name when creating the app or task. The raw token never passes through MCP or appears in conversation history. If the token expires, update it in one place and all apps and tasks using that name pick it up automatically.

OSC Access Token

An OSC Access Token is an API key that lets a service or agent act on your behalf within OSC — for example, some service instances need it to create other OSC instances on your behalf. Tokens can be created with an expiration date; the maximum lifetime is 90 days.

In the web console

When you create a service instance that requires an OSC Access Token, the console mints one automatically, stores it as a Service Secret, and inserts the {{secrets.name}} reference into the instance configuration. You do not handle the token directly.

Via MCP

When an AI agent creates a service instance that requires an OSC Access Token, the agent is instructed to:

  1. Call create-personal-access-token to mint a token.
  2. Receive a token-protected download URL — not the token value itself.
  3. Use that URL to store the token as a Service Secret without the raw value appearing in the conversation.
  4. Reference the secret via {{secrets.name}} when creating the instance.

You can also mint tokens manually via the agent:

Create a personal access token named "my-service-token" expiring in 30 days

Tokens are listed and revoked from app.osaas.io/dashboard/profile/api in the web console, or via MCP:

List my personal access tokens
Revoke my personal access token with ID pat-abc123

AI credentials for My Agent Tasks

My Agent Tasks run agents using your own AI provider account. OSC supports two runtimes, each requiring a different credential type.

Anthropic API key

An sk-ant-... key from console.anthropic.com. Usage is billed directly to your Anthropic account at API rates (pay per token).

Use this when you do not have a Claude subscription, or when you want predictable per-token billing and full control over which model version the task runs on.

Claude OAuth token

A token obtained by connecting your Claude account via OAuth. Usage is drawn from your existing Claude Pro or Max subscription rather than billed at API rates.

Use this when you already pay for a Claude subscription and want agent task runs to count against that subscription instead of incurring separate API charges.

OpenAI API key

An sk-... key from platform.openai.com. Required for the Codex runner. Usage is billed to your OpenAI account.

Use this when you want to run tasks with OpenAI models (such as o3 or gpt-4.1), or when your workflow follows Codex CLI and AGENTS.md conventions.

Which to choose

If you… Use
Pay for a Claude Pro or Max subscription Claude OAuth token
Want API-rate billing on Anthropic models Anthropic API key
Want to use OpenAI models OpenAI API key

Credentials are configured once under My Agent Tasks and reused by all tasks and Agentic SDLC workflows. OSC charges nothing for AI tokens — you pay your provider directly.

What to prepare before you start

Creating a service instance

Service instances such as CouchDB, MariaDB, or MinIO typically require passwords and access keys as part of their configuration. Before you create the instance, create a Service Secret for each sensitive value on that service's page. When you then fill in the instance parameters, you reference the secret by name instead of typing the raw value.

Example: creating a CouchDB instance

  1. Go to the CouchDB service page and open the Service Secret tab.
  2. Create a secret named adminpwd and enter your chosen admin password.
  3. When creating the instance, enter {{secrets.adminpwd}} in the Admin Password field.

That is all you need. The password is never stored as plain text and will not appear if you or an AI agent later inspects the instance.


Creating a My App

Example: deploying a Node.js app from a private GitHub repo that connects to Stripe

Before you create the app, prepare:

  • Git credential — register your GitHub personal access token in My Apps → Git Credentials and give it a name (e.g. github-token). You will pick this by name when creating the app.
  • Parameter store — create a parameter store with encrypted secrets enabled and add STRIPE_SECRET_KEY as an encrypted entry. Note the encryption key when it is shown — you will not see it again. When you link the parameter store to the app, OSC handles the encryption key automatically.

That is it. When the app starts, STRIPE_SECRET_KEY is available as an environment variable. The Stripe key never appears in any configuration form or conversation.


Creating a My Agent Task

Example: a daily task that reviews open pull requests on a private repo and posts a Slack summary

Before you create the task, prepare:

  • AI credential — decide which runtime you want and have the key ready: an Anthropic API key or Claude OAuth token for the Claude runner, or an OpenAI API key for the Codex runner. You enter this once under My Agent Tasks and it is reused by all tasks.
  • Git credential — register a personal access token for the private repository in My Apps → Git Credentials.
  • Parameter store (optional) — if the task needs to call external services such as Slack, create a parameter store and add the Slack webhook URL as an encrypted entry. Link the store when creating the task.
  • OSC Access Token — if the task needs to create or manage OSC resources on your behalf, select Managed in the task form and OSC handles it automatically.