Skip to lesson

Lesson 3 of 7 / HQ fundamentals

Store and Share API Keys with HQ Secrets

Submit a provider credential through HQ's secure form, choose who may use it, and verify access without putting the raw value in chat or documentation.

Begin lesson
Complete in
About 5 minutes
Written path
8 steps
Outcome

You will store a credential in the Vault, grant access through a group, and verify that teammates can use the grant without seeing the raw value in chat.

Recorded walkthrough

Watch the complete path.

Follow the recording once, then use the written steps below as the durable checklist. English captions are available from the player controls.

HQ / Tutorial recording

This walkthrough uses demo data and shows the complete recorded workflow. Use the written steps below as your durable checklist while you follow along.

Before You Begin

  1. HQ is signed in to a cloud-backed company.

  2. You are allowed to store the credential and manage its intended audience.

  3. The provider credential is ready to paste into the secure submission form.

Step-by-step walkthrough

  1. Step 1

    Request secure credential storage

    Tell HQ which provider credential the team needs, but do not paste its value into the conversation.

    PromptSend in your AI session
     I want to upload a [provider] API key for my team to use with HQ Secrets.
    
    Expected result

    HQ explains the secure flow and creates a one-use submission form.

  2. Step 2

    Submit the value in the secure form

    Open the form HQ provides, paste the credential there, and submit it. Do not copy the form address into notes or chat.

    NavigationOpen this destination
     Open the secure form, paste the credential, and submit
    
    Expected result

    The credential is sent to the Vault without being echoed into the AI conversation.

  3. Step 3

    Validate receipt

    Ask HQ to confirm that the secure submission arrived before you configure access.

    PromptSend in your AI session
     Please validate you have received it.
    
    Expected result

    HQ confirms the item is safely stored and offers company-wide, group, or private access choices.

  4. Step 4

    Choose the intended audience

    Pick the smallest appropriate audience. The recording creates a Sales group; use a group name that matches your own team structure.

    PromptSend in your AI session
     Create a new group called [group] and share it with [group].
    
    Expected result

    HQ creates the selected group and grants it read access to the stored credential.

  5. Step 5

    Confirm the Vault record

    Refresh the Secrets area in HQ Console and confirm that the record exists without opening, revealing, or capturing its value.

    NavigationOpen this destination
     Open HQ Console and refresh the Secrets area
    
    Expected result

    The provider credential appears as a Vault record while its value remains hidden.

  6. Step 6

    Understand access scopes

    Review the three access patterns: keep an item private, assign it to a group, or share it directly with a person.

    Expected result

    You can explain who will be allowed to use each stored item before granting access.

  7. Step 7

    Reuse the group for related resources

    Apply the same access group to the credential and, when appropriate, to knowledge that group needs for its work.

    PromptSend in your AI session
     Please share that API key with that group.
     Please share our [team] knowledge with that group.
    
    Expected result

    The credential and approved related resources use one consistent access group.

  8. Step 8

    Verify the final grant

    Read HQ's final confirmation and check that it names the intended group and read access without reproducing the raw credential.

    Expected result

    The group exists, the access grant is confirmed, and a future authorized teammate can use the credential without receiving its value in chat.

Observable finish line

You are done when this is true.

HQ confirms the credential is in the Vault, the intended group exists, read access is granted, and the raw value never appears in the conversation or tutorial.