Skip to main content
Secrets let you centralize reusable credentials for the current account instead of repeating raw values across supported configurations. Access: Go to Settings → Developers → Secrets.

Where Secrets Are Used

The current product uses saved secrets in multiple places, including:
  • Cal.com integration credentials
  • SIP trunk authentication passwords
  • MCP server headers and query parameters
  • custom API actions and other agent-side authenticated calls
That makes the Secrets page the safest place to rotate shared credentials without hunting through each feature manually.

Create a Secret

1

Open Secrets

Navigate to Settings → Developers → Secrets.
2

Create a new secret

Click New Secret.
3

Set the name and value

Enter a clear name and paste the secret value.
4

Choose whether it starts enabled

Leave Enabled on for active use, or turn it off if you want to save the value before rollout.
5

Save

Submit the form to add the secret to the inventory.
Use names that identify provider, purpose, and environment, such as calcom-prod-api-key or crm-staging-webhook-token.

Inventory and Statuses

The inventory table shows:
  • Name
  • Status
  • Usage count
  • Last used
Current statuses:
StatusMeaning
ActiveThe secret is enabled and ready for supported references
DisabledThe secret stays stored but should not be used for active workflows
MissingA referenced secret value is unavailable and needs attention
If a secret has no active references, the expanded row shows No active references yet.

Edit, Disable, and Rotate

  • Edit a secret to rename it or replace the stored value.
  • When you edit an existing secret, you can leave the value blank to keep the current value.
  • Disable a secret when you want to pause new usage without deleting the record.
  • Review usage references before rotation so you know which downstream flows are affected.

Delete Behavior

You can delete a secret only when it is not in use. If a secret still has active references, the platform blocks deletion until you remove or update those references.

Best Practices

Keep production, staging, and sandbox credentials separate so you can rotate or disable them independently.
Prefer stable, descriptive names over generic labels like API key or token.
Replace values immediately after a suspected leak or when the owning system changes.
Remove stale credentials once you confirm they are no longer referenced.

Next Steps

Integrations

Connect third-party services for supported workflows

Webhooks

Configure signed event delivery to your own systems

API Keys

Manage direct programmatic access to the platform

Custom API Actions

Use external APIs from your agents