Concepts
Secrets
Secrets let you securely store sensitive values (API keys, tokens) locally and pass them to your sessions as environment variables.
How It Works
- You add secrets locally with
catty secrets add - Secrets are encrypted and stored at
~/.catty/secrets.json - When you run
catty new, secrets are decrypted and sent to the API over HTTPS - Your session receives them as environment variables
- Secrets are never stored on Catty servers
Quick Start
# Add a secret
catty secrets add MY_API_KEY
# → Enter value for MY_API_KEY: ••••••••
# List secrets (shows names only)
catty secrets list
# Start a session - secrets are automatically passed
catty newUsing Secrets in Sessions
Secrets appear as environment variables:
# In session
echo $MY_API_KEYClaude can access them in code:
import os
api_key = os.environ.get('MY_API_KEY')Encryption
Secrets are encrypted using:
| Aspect | Implementation |
|---|---|
| Algorithm | AES-256-GCM (authenticated encryption) |
| Key derivation | scrypt from machine-specific data |
| Per-secret IV | Each secret has a unique initialization vector |
Machine Binding
The encryption key is derived from your hostname and home directory. This means:
- Secrets can only be decrypted on the machine they were created on
- Copying
secrets.jsonto another machine won't work - If you change hostname or reinstall your OS, you'll need to re-add secrets
Storage
| Aspect | Value |
|---|---|
| Location | ~/.catty/secrets.json |
| Permissions | 0600 (owner read/write only) |
| Format | v1:<iv>:<authTag>:<ciphertext> |
Blocked Names
These names are reserved and cannot be used:
- System:
PATH,HOME,USER,SHELL,PWD - Catty internal:
CONNECT_TOKEN,CATTY_CMD,SESSION_LABEL - Cloud credentials:
R2_*,AWS_*,FLY_*
Skipping Secrets
Start a session without passing secrets:
catty new --no-secretsBest Practices
See Also
- GitHub Integration - Special setup for GitHub tokens
- catty secrets - CLI command reference
- catty new - Start session with secrets