Skip to content
Selu Docs

Credentials

Selu handles sensitive information — API keys, passwords, tokens — with care. All credentials are encrypted at rest and never exposed in plain text through the dashboard or logs.

How encryption works

Section titled “How encryption works”

When you save a credential in Selu (like an LLM provider API key or a BlueBubbles password), it’s immediately encrypted before being stored. Selu uses AES-256 encryption, which is the same standard used by banks and governments.

The encryption key is derived from your Selu instance’s master secret, which is set during initial setup via the SELU_SECRET_KEY environment variable.

Where credentials are stored

Section titled “Where credentials are stored”

Credentials are stored in Selu’s database, never on the filesystem. The database itself should be protected too — see the Docker Setup guide for recommendations on securing your volumes.

Managing credentials

Section titled “Managing credentials”

Adding credentials

Credentials are added through the relevant settings pages — for example, your Anthropic API key is entered under Settings → LLM Providers → Anthropic.

Viewing credentials

For security, saved credentials are always masked in the dashboard. You’ll see •••••••• instead of the actual value.

Updating credentials

To change a credential, simply paste the new value into the field and save. The old value is overwritten.

Deleting credentials

Remove a credential by clearing the field and saving, or by disconnecting the related service entirely.

Credential types

Section titled “Credential types”

Selu manages the following types of credentials:

CredentialUsed for
LLM API keysAnthropic, OpenAI, Bedrock access keys
Channel tokensTelegram bot token, BlueBubbles password
Agent secretsPer-agent credentials for third-party services
Master secretSELU_SECRET_KEY — the root encryption key

Best practices

Section titled “Best practices”
  • Use unique API keys — Create dedicated keys for Selu rather than reusing keys from other services. This makes it easy to rotate or revoke access.
  • Rotate regularly — Change your API keys every few months. Update them in Selu immediately after rotation.
  • Monitor usage — Check your provider dashboards (Anthropic, OpenAI, AWS) for unexpected usage spikes that might indicate a compromised key.
  • Back up your master secret — Store SELU_SECRET_KEY in a password manager or secure vault, separate from your Selu backups.