> ## Documentation Index
> Fetch the complete documentation index at: https://docs.synti.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Credentials

> How Synti encrypts API keys and tokens on disk, where they live, and how to inspect or reset them.

Synti stores every secret — provider API keys, OAuth tokens, source credentials — in a single encrypted file on your machine. Nothing sensitive is written to the plain-text [config file](/reference/config/config-file), and secrets are only sent to the services you explicitly connect. This page explains the storage model so you can trust it, audit it, and reset it when needed.

## Where credentials live

```text theme={null}
~/.synti/credentials.enc
```

The file is created with owner-only permissions. You can verify that no other user can read it:

```bash theme={null}
ls -la ~/.synti/credentials.enc
# -rw-------  1 you  staff  ...  credentials.enc
```

## How encryption works

Secrets are sealed with **AES-256-GCM**. The encryption key is derived with **PBKDF2** from a machine-specific seed, so the key never has to be typed and never leaves the device.

<Info>
  This gives protection comparable to an OS keychain, but without interactive unlock prompts — the agent can start and reach its providers unattended, which is what makes the headless server and automations practical.
</Info>

Because the key is bound to the machine, `credentials.enc` cannot be decrypted if copied to another computer. When you move to a new machine, re-enter your keys rather than copying the file.

<Warning>
  Do not copy `credentials.enc` between machines and expect it to work. Treat it as device-local. To migrate, reconnect each provider and source on the new machine.
</Warning>

## What gets stored

The store holds several kinds of secrets, each scoped so that one credential can't leak into an unrelated context:

| Scope          | Key shape                           | Used for                                                                        |
| -------------- | ----------------------------------- | ------------------------------------------------------------------------------- |
| Per-connection | `{type}::{connectionSlug}`          | API keys and tokens for an [LLM connection](/reference/config/llm-connections). |
| Per-source     | `{type}::{workspaceId}::{sourceId}` | Credentials for a connected MCP server, REST API, or filesystem source.         |
| Global         | `{type}::global`                    | Legacy, un-scoped secrets carried over from older versions.                     |

Credentials are added automatically the first time you complete setup, connect a source, or authenticate an MCP server — you don't manage the file directly during normal use.

## Overriding with environment variables

For automation, CI, or the [headless server](/server/headless), you can supply a provider key through the environment instead of the encrypted store. Environment values take precedence over anything on disk.

```bash theme={null}
export ANTHROPIC_API_KEY=sk-ant-...
export SYNTI_ANTHROPIC_API_KEY=sk-ant-...   # Synti-scoped alternative, wins over the above
```

The full lookup order and every supported variable are listed in [Environment Variables](/reference/config/environment-variables).

## Inspecting and resetting

<AccordionGroup>
  <Accordion title="See which credentials are stored">
    The in-app `/debug` command lists the credential identifiers that are present — the keys, never the secret values. Use it to confirm a provider or source actually has a stored credential.
  </Accordion>

  <Accordion title="Remove a single credential">
    Delete or re-authenticate the connection or source it belongs to. Removing a connection clears its scoped secret.
  </Accordion>

  <Accordion title="Wipe everything">
    Quit Synti and delete the encrypted file:

    ```bash theme={null}
    rm ~/.synti/credentials.enc
    ```

    On next launch Synti starts with no stored secrets and will prompt you to reconnect. Your workspaces and preferences in `config.json` are unaffected.
  </Accordion>
</AccordionGroup>

## Related

<CardGroup cols={2}>
  <Card title="LLM Connections" icon="plug" href="/reference/config/llm-connections">
    Connections whose keys land in the credential store.
  </Card>

  <Card title="Environment Variables" icon="terminal" href="/reference/config/environment-variables">
    Supply keys at launch, ahead of the encrypted store.
  </Card>

  <Card title="Config File" icon="file-code" href="/reference/config/config-file">
    The non-secret settings that sit next to your credentials.
  </Card>

  <Card title="API Providers" icon="globe" href="/reference/config/custom-endpoint">
    Point a connection at a custom endpoint.
  </Card>
</CardGroup>
