Guide 08

Protect secrets when working with coding agents

Secrets are values that grant access to systems or data. They should not be pasted into chat, committed to Git, or published in documentation.

Do not share

  • Environment files containing production values.
  • API keys, tokens, database passwords, and private keys.
  • Raw customer data, export files, invoices, or backups.
  • Auth headers, session cookies, and one-time codes.

How the agent can verify safely

The agent can often check that a value exists or that two configurations match without printing the value. Ask it to report "exists", "missing", or "matches", not the secret itself.

Publishing rule: public articles should never include real secrets, internal secret names, or historical examples that reveal how an environment is configured.

Good habits

  • Use placeholders in prompts and documentation.
  • Keep production configuration on the server or in a safe secret manager.
  • Add environment files and backup artifacts to ignore rules.
  • Rotate secrets if they were shared by accident.

Safe prompts for secret handling

  • "Check whether the required environment variables exist, but do not print their values."
  • "Tell me which secrets are missing using only variable names, not values."
  • "Verify that local secret files are ignored by Git."
  • "Before committing, scan the diff for accidentally included credentials or customer data."
  • "If you need a secret, tell me where I should enter it securely instead of pasting it into chat."