Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.murmur.dev/llms.txt

Use this file to discover all available pages before exploring further.

A user-secret is a catalog resource that holds one encrypted value scoped to a single developer. Unlike a tenant-wide secret, a user-secret is bound to the developer who created it — only agents that developer spawns receive it. User-secrets are created automatically by murmur setup when you onboard your credentials. You can also create and update them manually with murmur set.

Fields

NameTypeRequiredDescription
namestringyesSecret name. Must be non-empty. Names created by murmur setup follow the convention {provider}/{username}/{SECRET_NAME} (e.g. github_oauth/alice/GH_TOKEN).
plaintext_valuebytesyes (on write)Secret value. Write-only — cleared after encryption and never returned by read or list operations.
created_attimestampnoTimestamp of last update. Set automatically on each write.
descriptionstringnoHuman-readable description.
The plaintext_value field is write-only. When you read a user-secret back with murmur get, the response contains name, created_at, and description — never the encrypted value.

Name convention

The default authorization rules grant each developer read, create, edit, and list access to user-secrets matching the pattern {provider}/{username}/*. The murmur setup command follows this convention automatically, producing names like:
Well-known secretStored name
GitHub tokengithub_oauth/alice/GH_TOKEN
Anthropic API keygithub_oauth/alice/ANTHROPIC_API_KEY
Signing keygithub_oauth/alice/SIGNING_KEY
Claude OAuth tokengithub_oauth/alice/CLAUDE_TOKEN
Claude refresh tokengithub_oauth/alice/CLAUDE_REFRESH_TOKEN
OpenAI API keygithub_oauth/alice/OPENAI_API_KEY
When creating user-secrets manually, use the same {provider}/{username}/{NAME} convention so the authorization pattern matches.

Examples

Setting a user-secret via murmur setup

murmur setup creates user-secrets automatically as part of onboarding: 
murmur setup
This encrypts your GitHub token, signing key, and any configured API keys as user-secrets under your identity prefix.

Creating a user-secret manually

echo '{"name":"github_oauth/alice/CUSTOM_KEY","plaintext_value":"c2stY3VzdG9tLWtleQ=="}' \
  | murmur set user-secret github_oauth/alice/CUSTOM_KEY

Listing your user-secrets

murmur get user-secret

NAME
github_oauth/alice/GH_TOKEN
github_oauth/alice/ANTHROPIC_API_KEY
github_oauth/alice/SIGNING_KEY

Reading a single user-secret

murmur get user-secret github_oauth/alice/GH_TOKEN
The response includes name, created_at, and description. The encrypted value is stripped.

Deleting a user-secret

murmur rm user-secret github_oauth/alice/CUSTOM_KEY
Deleting a user-secret that your user record references (e.g. github_token_secret) causes agents you spawn to start without that credential. Run murmur setup again to re-create it.

How user-secrets reach agents

When you spawn an agent, the system reads your user record, resolves each referenced user-secret name, and includes the encrypted values in the agent’s launch payload. The well-known secret names map to environment variables on the agent VM:
User record fieldUser-secret nameEnvironment variable
github_token_secretgithub_oauth/alice/GH_TOKENGH_TOKEN
anthropic_api_key_secretgithub_oauth/alice/ANTHROPIC_API_KEYANTHROPIC_API_KEY
signing_key_secretgithub_oauth/alice/SIGNING_KEYSIGNING_KEY
claude_token_secretgithub_oauth/alice/CLAUDE_TOKENCLAUDE_TOKEN
claude_refresh_token_secretgithub_oauth/alice/CLAUDE_REFRESH_TOKENCLAUDE_REFRESH_TOKEN
openai_api_key_secretgithub_oauth/alice/OPENAI_API_KEYOPENAI_API_KEY

Errors

CodeMeaningWhat to do
INVALID_ARGUMENTsecret name is requiredProvide a non-empty name in the resource ref and payload.
INVALID_ARGUMENTplaintext_value is requiredThe write payload must include a plaintext_value. Pipe the value via stdin or include it in the JSON body.
INVALID_ARGUMENTref name "X" does not match payload name "Y"The name in the resource ref and the name field in the payload must match.
PERMISSION_DENIEDAuthorization check failedYour user-secret name does not match the {provider}/{username}/* pattern for your identity, or you lack the required permission.
  • Profiles and secrets — concept overview of developer profiles and secret scopes
  • secret — tenant-wide secrets shared across all developers
  • murmur set — CLI command for creating and updating catalog resources
  • murmur get — CLI command for reading catalog resources
  • murmur setup — CLI command that creates user-secrets automatically during onboarding
  • Secrets management — CLI guide for managing tenant and developer secrets
  • Encryption — how secrets are encrypted at rest and in transit
  • Permissions — default authorization bindings including the user-secrets-self grant