Per user secrets
Store values visible only to the user key that owns them.
Per-user secrets are Vault entries written while authenticated with a user key. They are visible to that user key and scoped to the environments that key can access.
Use per-user secrets for values that should not become shared project secrets, such as personal API tokens, developer-only credentials, or local overrides.
How they differ from project secrets
| Secret type | Written by | Visible to |
|---|---|---|
| Project secret | Password-authenticated session | Password sessions and user keys scoped to the environment. |
| Per-user secret | User-key-authenticated session | The same user key for the scoped environment. |
Per-user secrets are stored encrypted in the Vault file. They do not require adding a shared project secret.
API method
fatima api '{"method":"vault.setUserSecret","params":{"key":"fatima_user_...","options":{"cwd":"."},"environment":"development","secretKey":"PERSONAL_TOKEN","value":"user-only-token"}}'
The method requires user-key authentication. Password-authenticated sessions cannot write per-user secrets.