Coding Agent Guide Package

Guide 08

Protect secrets when working with coding agents

Secrets are values that grant access to systems or data. They should not be pasted into chat, committed to Git, or published in documentation.

Do not share

  • Environment files containing production values.
  • API keys, tokens, database passwords, and private keys.
  • Raw customer data, export files, invoices, or backups.
  • Auth headers, session cookies, and one-time codes.

How the agent can verify safely

The agent can often check that a value exists or that two configurations match without printing the value. Ask it to report "exists", "missing", or "matches", not the secret itself.

Publishing rule: public articles should never include real secrets, internal secret names, or historical examples that reveal how an environment is configured.

Good habits

  • Use placeholders in prompts and documentation.
  • Keep production configuration on the server or in a safe secret manager.
  • Add environment files and backup artifacts to ignore rules.
  • Rotate secrets if they were shared by accident.
PreviousNext: Server or local?