How It Works
- You add secrets locally with
catty secrets add - Secrets are encrypted and stored at
~/.catty/secrets.json - When you run
catty new, secrets are decrypted and sent to the API over HTTPS - Your session receives them as environment variables
- Secrets are never stored on Catty servers
Quick Start
Using Secrets in Sessions
Secrets appear as environment variables:Encryption
Secrets are encrypted using:| Aspect | Implementation |
|---|---|
| Algorithm | AES-256-GCM (authenticated encryption) |
| Key derivation | scrypt from machine-specific data |
| Per-secret IV | Each secret has a unique initialization vector |
Machine Binding
The encryption key is derived from your hostname and home directory. This means:- Secrets can only be decrypted on the machine they were created on
- Copying
secrets.jsonto another machine won’t work - If you change hostname or reinstall your OS, you’ll need to re-add secrets
Storage
| Aspect | Value |
|---|---|
| Location | ~/.catty/secrets.json |
| Permissions | 0600 (owner read/write only) |
| Format | v1:<iv>:<authTag>:<ciphertext> |
Blocked Names
These names are reserved and cannot be used:- System:
PATH,HOME,USER,SHELL,PWD - Catty internal:
CONNECT_TOKEN,CATTY_CMD,SESSION_LABEL - Cloud credentials:
R2_*,AWS_*,FLY_*
Skipping Secrets
Start a session without passing secrets:Best Practices
Use minimal permissions
Use minimal permissions
When creating API tokens, only grant the permissions your workflow needs.
Rotate tokens periodically
Rotate tokens periodically
Update your secrets regularly with
catty secrets remove and catty secrets add.Don't share secrets.json
Don't share secrets.json
See Also
- GitHub Integration - Special setup for GitHub tokens
- catty secrets - CLI command reference
- catty new - Start session with secrets