Secrets

Encrypted, per-account secrets for power-user flows — typically not needed for the Guardian.

Secrets#

The Secrets vault is an encrypted, per-account key-value store used for power-user flows. Most Guardian users never touch it.

When you'd use Secrets#

  • You're using Ava beyond the standard Guardian (custom integrations, the SDK).
  • You need to pass an API key or webhook URL to an action without putting it in chat.
  • You're building on top of the Ava SDK and need somewhere to store credentials.

For the Liquidation Guard, Earn, and Overwatch flows — Secrets is not required.

Safety properties#

  • Encrypted at rest. Stored encrypted; the plaintext is reconstructed only when needed for an authorized call.
  • Per-account scope. Each account's secrets are isolated; no cross-account access.
  • No on-chain leakage. Secrets are never written to chain or transmitted to any third party Ava doesn't strictly need.
  • Per-secret access control. Each secret can be scoped to specific workflows / functions.

What not to put in Secrets#

  • Your seed phrase or private key. Ava never needs these. Anyone who asks is impersonating us.
  • Recovery codes for your wallet. Same.
  • Authorization tokens for custodial exchanges or banking unless you're sure the integration that consumes them is appropriate. Ava is non-custodial — most flows shouldn't need a CEX key.

Power-user reference#

If you're building on the SDK, the SecretsResource in ava-sdk-js exposes three methods: list(), put() (upsert by name), and delete(). Secrets are write-only: you can enumerate names via list() and overwrite or delete them, but the plaintext value is never read back through the SDK. See SDK Reference → SecretsResource. Programmatic access is gated by the same authentication as everything else; see Developers → Authentication.