Credentials

Selu handles sensitive information — API keys, passwords, tokens — with care. All credentials are encrypted at rest and never exposed in plain text through the dashboard or logs.

How encryption works

When you save a credential in Selu (like an LLM provider API key or a BlueBubbles password), it’s immediately encrypted before being stored. Selu uses AES-256-GCM encryption (authenticated encryption), which is the same standard used by banks and governments. This means credentials are both encrypted and tamper-proof.

The encryption key is derived from your Selu instance’s master secret, which is set during initial setup via the SELU_ENCRYPTION_KEY environment variable.

Where credentials are stored

Credentials are stored in Selu’s database, never on the filesystem. The database itself should be protected too — see the Docker Setup guide for recommendations on securing your volumes.

Managing credentials

The Credentials page showing system and user credential management.

Adding credentials

Credentials can be added in several places: through the Credentials page for system-wide secrets, LLM Providers for API keys, or directly on individual agent detail pages using the new Secrets tab.

Viewing credentials

For security, saved credentials are always masked in the dashboard. You’ll see •••••••• instead of the actual value.

Updating credentials

To change a credential, simply paste the new value into the field and save. The old value is overwritten.

Deleting credentials

Remove a credential by clearing the field and saving, or by using the “Remove” button on agent detail pages.

User account management

Password changes

All users can now change their own passwords through the web interface:

Go to the Users page (accessible to all users)
Click the Change password button
Enter your current password and the new password (minimum 8 characters)
Confirm the new password and click Update password

For security, changing your password will automatically sign out all your other active sessions while keeping your current session active.

Agent access control

Administrators can control which agents individual users have access to through the Users page:

Go to Users and find the user you want to configure
Click the Edit button in the Agents column
In the modal that opens, select which agents the user can access
Click Save to apply the changes

The agent access modal where administrators select which agents a user can access.

By default, new users can access all available agents. If you want to restrict access:

All agents selected: User can access every installed agent (default behavior)
Specific agents selected: User can only access the chosen agents
No agents selected: User cannot access any agents except the default fallback

Agent-specific credentials

The easiest way to manage agent credentials is now through the Secrets tab on each agent’s detail page:

The Secrets tab on an agent detail page showing credential fields.

Go to Agents and click on any installed agent
Click the Secrets tab in the tab bar
You’ll see all credentials organized by capability
Each credential shows whether it’s Required or Optional
Enter values directly in the form fields and click Save

Credential information

Each credential declaration now includes:

Description — What the credential is for and where to get it
Scope — Whether it’s Shared (system-wide) or Personal (per-user)
Status — Whether it’s currently set or missing
Timestamp — When it was last updated (if set)

Credential scopes

System credentials (marked “Shared”) are available to all users. Admins set these once and they work for everyone.
User credentials (marked “Personal”) are private to each user. Each person enters their own API keys.

The agent developer chooses the appropriate scope when declaring credentials in their manifest.yaml.

Credential types

Selu manages the following types of credentials:

Credential	Used for	Where to manage
LLM API keys	Anthropic, OpenAI, Bedrock access keys	LLM Providers page
Channel tokens	Telegram bot token, BlueBubbles password	Pipes setup pages
Agent secrets	Per-agent credentials for third-party services	Agent detail pages → Secrets tab
System credentials	Shared secrets used by multiple agents	Credentials page
Master secret	`SELU_ENCRYPTION_KEY` — the root encryption key	Environment variable

Best practices

Use the Secrets tab — The new agent-focused interface is cleaner than the global Credentials page for agent-specific secrets.
Check descriptions — Agent developers now provide helpful descriptions explaining what each credential is for.
Use unique API keys — Create dedicated keys for Selu rather than reusing keys from other services. This makes it easy to rotate or revoke access.
Rotate regularly — Change your API keys every few months. Update them in Selu immediately after rotation.
Monitor usage — Check your provider dashboards (Anthropic, OpenAI, AWS) for unexpected usage spikes that might indicate a compromised key.
Back up your master secret — Store SELU_ENCRYPTION_KEY in a password manager or secure vault, separate from your Selu backups.
Check agent requirements — Before installing an agent, review what credentials it needs so you can prepare the necessary API keys.
Restrict agent access — Only give users access to the agents they actually need. This limits exposure if credentials are compromised.
Change passwords regularly — Use the new self-service password change feature to keep your account secure.

Password recovery

If you forget your password, an administrator can reset it securely using the command line:

# Admin resets a user's password
echo 'new-secure-password' | docker exec -i selu-orchestrator selu-orchestrator reset-password --username alice --password-stdin

This command requires administrator access to the server and will revoke all active sessions for the affected user.