Where credentials live
How encryption works
Secrets are sealed with AES-256-GCM. The encryption key is derived with PBKDF2 from a machine-specific seed, so the key never has to be typed and never leaves the device.This gives protection comparable to an OS keychain, but without interactive unlock prompts — the agent can start and reach its providers unattended, which is what makes the headless server and automations practical.
credentials.enc cannot be decrypted if copied to another computer. When you move to a new machine, re-enter your keys rather than copying the file.
What gets stored
The store holds several kinds of secrets, each scoped so that one credential can’t leak into an unrelated context:
Credentials are added automatically the first time you complete setup, connect a source, or authenticate an MCP server — you don’t manage the file directly during normal use.
Overriding with environment variables
For automation, CI, or the headless server, you can supply a provider key through the environment instead of the encrypted store. Environment values take precedence over anything on disk.Inspecting and resetting
See which credentials are stored
See which credentials are stored
The in-app
/debug command lists the credential identifiers that are present — the keys, never the secret values. Use it to confirm a provider or source actually has a stored credential.Remove a single credential
Remove a single credential
Delete or re-authenticate the connection or source it belongs to. Removing a connection clears its scoped secret.
Wipe everything
Wipe everything
Quit Synti and delete the encrypted file:On next launch Synti starts with no stored secrets and will prompt you to reconnect. Your workspaces and preferences in
config.json are unaffected.Related
LLM Connections
Connections whose keys land in the credential store.
Environment Variables
Supply keys at launch, ahead of the encrypted store.
Config File
The non-secret settings that sit next to your credentials.
API Providers
Point a connection at a custom endpoint.