Issue Station
Sign In
Tools hereToolbox

claude-code - 💡(How to fix) Fix [Feature Request] Secrets store for scheduled triggers (RemoteTrigger) [2 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
anthropics/claude-code#51846Fetched 2026-04-23 07:43:22
View on GitHub
Comments
2
Participants
2
Timeline
7
Reactions
0
Author
ramkrishna2910ramkrishna2910
Participants
github-actions[bot]github-actions[bot]ramkrishna2910ramkrishna2910
Timeline (top)
labeled ×4commented ×2closed ×1

Fix Action

Fix / Workaround

Current workaround

Code Example

// When creating/updating an environment
{
  "secrets": {
    "MY_API_KEY": "encrypted-value",
    "MY_TOKEN": "encrypted-value"
  }
}

---

The environment has MY_API_KEY and MY_TOKEN available as environment variables.
RAW_BUFFERClick to expand / collapse

Problem

Scheduled triggers (RemoteTrigger / claude.ai/code/scheduled) have no way to securely store secrets. The only option today is embedding API keys directly in the trigger prompt as plaintext.

This means:

  • API keys, private keys, and tokens are stored in the prompt text visible to anyone with account access
  • Keys appear in trigger run history
  • No way to rotate a secret without editing every trigger prompt that uses it
  • No masking in logs or output

This is a basic capability that every CI/CD platform (GitHub Actions, Vercel, Railway, Render) has had for years.

Real-world impact

Any pipeline that integrates with external APIs (SaaS tools, databases, notification services, third-party platforms) needs to store credentials. Currently the only option is pasting them into the prompt. For keys that control financial accounts or sensitive services, this is unacceptable.

Proposed solution

Add an encrypted secrets store to cloud environments (environment_id). Triggers running in that environment can access secrets as environment variables.

API design suggestion

// When creating/updating an environment
{
  "secrets": {
    "MY_API_KEY": "encrypted-value",
    "MY_TOKEN": "encrypted-value"
  }
}

Trigger prompts reference them like:

The environment has MY_API_KEY and MY_TOKEN available as environment variables.

Or even better, use ${{secrets.MY_API_KEY}} syntax in the prompt that gets resolved server-side at runtime, never exposed in the trigger config.

Requirements

  • Secrets encrypted at rest
  • Not readable after creation (write-only, like GitHub Actions secrets)
  • Masked in trigger run logs
  • Accessible as environment variables inside the trigger's container
  • Manageable via API and UI (claude.ai/code/scheduled)
  • Scoped per environment, not per trigger (so multiple triggers can share secrets)

Current workaround

Embedding keys directly in the trigger prompt text. Works but is the equivalent of checking secrets into source code.

extent analysis

TL;DR

Implement an encrypted secrets store for cloud environments, allowing triggers to access secrets as environment variables, to securely store and manage API keys and tokens.

Guidance

  • To address the security concern, consider designing an API to store secrets encrypted at rest, with write-only access, similar to GitHub Actions secrets.
  • Triggers should be able to reference secrets using a syntax like ${{secrets.MY_API_KEY}} that gets resolved server-side, ensuring secrets are never exposed in the trigger config.
  • Secrets should be scoped per environment, not per trigger, to enable multiple triggers to share secrets.
  • To verify the effectiveness of the solution, test the encrypted secrets store by creating an environment with secrets, running a trigger that references those secrets, and checking that the secrets are not visible in the trigger run logs.

Example

// Example environment creation with secrets
{
  "secrets": {
    "MY_API_KEY": "encrypted-value",
    "MY_TOKEN": "encrypted-value"
  }
}

Trigger prompt example:

Use ${secrets.MY_API_KEY} to authenticate with the API.

Notes

The proposed solution requires careful consideration of encryption, access control, and logging to ensure the secrets are properly secured.

Recommendation

Apply a workaround by implementing an encrypted secrets store, as the current method of embedding keys directly in the trigger prompt text is insecure and equivalent to checking secrets into source code. This will provide a more secure way to store and manage API keys and tokens.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#environment variable#agent setup#task chaining#parallel task

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING