Secrets Management

How to handle API keys, passwords, and credentials securely.

The Rule

Never send secrets via workflow messages. Secrets live on the agent machine, configured by you.

NINA workflows only send public data (targets, hashes, domains). The agent reads secrets locally and uses them when executing tools.

How It Works

On your agent machine:

export VIRUSTOTAL_API_KEY="your_key_here"
export SHODAN_API_KEY="your_shodan_key"

In your agent code:

import os
from my_tools import VirusTotalChecker

vt_key = os.environ.get('VIRUSTOTAL_API_KEY')
if vt_key:
    agent.register_tool("virustotal_checker", VirusTotalChecker(api_key=vt_key))

The workflow only sends:

{
  "parameters": {
    "hash": "abc123..."
  }
}

The API key never leaves your machine.

Integration Proxy

The IntegrationProxyTool is an exception — credentials for proxied HTTP requests are encrypted end-to-end by NINA using AES-256-GCM before they reach the message queue. The agent decrypts them locally using the encryption_key from your config.

No action needed on your part. This is handled automatically.

Best Practices

Environment variables for API keys (export API_KEY="secret")
File permissions on secret files (chmod 600 secrets.env)
Never log secrets (logger.info(f"key: {api_key}") — don't do this)
Never commit secrets to git (add secrets.env to .gitignore)
Rotate keys by updating the env var and restarting the agent — no workflow changes needed

Next Steps

Creating Tools - Build tools that use secrets

The Rule​

How It Works​

Integration Proxy​

Best Practices​

Next Steps​

The Rule

How It Works

Integration Proxy

Best Practices

Next Steps