Lesson 3 of 7 / HQ fundamentals
Store and Share API Keys with HQ Secrets
Submit a provider credential through HQ's secure form, choose who may use it, and verify access without putting the raw value in chat or documentation.
Begin lesson- Complete in
- About 5 minutes
- Written path
- 8 steps
You will store a credential in the Vault, grant access through a group, and verify that teammates can use the grant without seeing the raw value in chat.
Recorded walkthrough
Watch the complete path.
Follow the recording once, then use the written steps below as the durable checklist. English captions are available from the player controls.
This walkthrough uses demo data and shows the complete recorded workflow. Use the written steps below as your durable checklist while you follow along.
Before You Begin
HQ is signed in to a cloud-backed company.
You are allowed to store the credential and manage its intended audience.
The provider credential is ready to paste into the secure submission form.
Step-by-step walkthrough
- Step 1
Request secure credential storage
Tell HQ which provider credential the team needs, but do not paste its value into the conversation.
PromptSend in your AI sessionI want to upload a [provider] API key for my team to use with HQ Secrets.Expected resultHQ explains the secure flow and creates a one-use submission form.
- Step 2
Submit the value in the secure form
Open the form HQ provides, paste the credential there, and submit it. Do not copy the form address into notes or chat.
NavigationOpen this destinationOpen the secure form, paste the credential, and submitExpected resultThe credential is sent to the Vault without being echoed into the AI conversation.
- Step 3
Validate receipt
Ask HQ to confirm that the secure submission arrived before you configure access.
PromptSend in your AI sessionPlease validate you have received it.Expected resultHQ confirms the item is safely stored and offers company-wide, group, or private access choices.
- Step 4
Choose the intended audience
Pick the smallest appropriate audience. The recording creates a Sales group; use a group name that matches your own team structure.
PromptSend in your AI sessionCreate a new group called [group] and share it with [group].Expected resultHQ creates the selected group and grants it read access to the stored credential.
- Step 5
Confirm the Vault record
Refresh the Secrets area in HQ Console and confirm that the record exists without opening, revealing, or capturing its value.
NavigationOpen this destinationOpen HQ Console and refresh the Secrets areaExpected resultThe provider credential appears as a Vault record while its value remains hidden.
- Step 6
Understand access scopes
Review the three access patterns: keep an item private, assign it to a group, or share it directly with a person.
Expected resultYou can explain who will be allowed to use each stored item before granting access.
- Step 7
Reuse the group for related resources
Apply the same access group to the credential and, when appropriate, to knowledge that group needs for its work.
PromptSend in your AI sessionPlease share that API key with that group.Please share our [team] knowledge with that group.Expected resultThe credential and approved related resources use one consistent access group.
- Step 8
Verify the final grant
Read HQ's final confirmation and check that it names the intended group and read access without reproducing the raw credential.
Expected resultThe group exists, the access grant is confirmed, and a future authorized teammate can use the credential without receiving its value in chat.
Observable finish line
You are done when this is true.
HQ confirms the credential is in the Vault, the intended group exists, read access is granted, and the raw value never appears in the conversation or tutorial.