In depth
The credential vault replaces the old habit of putting API keys in env vars and referencing them with templates. Keys live encrypted in a vault, the YAML carries only a name (the ref). The runtime resolves the name at session start, decrypts in memory, hot-swaps onto the live provider client. The plaintext never enters the deployed bundle, never enters git, never sits in a log. Sixteen first-class providers ship with catalog entries, others fall back to inline config.
Related concepts
Per-user scopeA credential resolution mode where each user brings their own key, resolved at session start.Envelope encryptionAn encryption scheme where each row has its own data key, and that data key is wrapped by a master key.KMSA managed service that holds master keys and performs cryptographic operations, never exposing the keys.Audit logA structured record of every agent turn, including tool calls, costs, and outputs, written to a sink.
Read the deep dive
How credentials work on Digitorn: an encrypted vault driven from YAML
Read article
Newsletter
Get the next post in your inbox.
Engineering notes from the Digitorn team. No marketing, no launch announcements, no "10 prompts that will change your life". Just the things we write that we'd want to read.