One place to configure agent access

Secrets & API Vault

+ New / Configure
Cloudflareready
Airtableneeded
Mance V1needed
Storage policyno plaintext

Add API / Secret

Enter once, then assign it to Workers, agents, and process flows.

Status

Select Airtable or OpenRouter, paste the value, then save. Secret values should be written to Cloudflare, not D1 plaintext.

Access Rules

Default policy

Agents can request a capability. Secret values are never shown to agents.

least exposure
Write actions

Pushes to Airtable, D1, R2, or Mance require approval unless marked routine.

approval gate
Audit trail

Log which Worker/agent used which capability and when.

D1 log
Rotation

Track stale tokens and force refresh for risky integrations.

planned

Mance V1 Orchestrator Needs

Cloudflare bindingsreadyD1/R2/V
AIRTABLE_PATneededsecret
AIRTABLE_BASE_IDneededvar
AIRTABLE_DEFAULT_TABLEneededvar
MANCE_AGENT_URLneededvar
MANCE_API_KEYneededsecret

What Gets Stored Where

Secret valueCloudflare secret only. Not stored in D1 or visible in UI after save.
MetadataD1 can store provider, name, owner, scope, last checked, and status.
Agent accessAgents receive capabilities, not raw tokens.
Worker accessWorkers read secrets from env at runtime.

Operator Flow

1

Paste

Add token or API key once.

2

Assign

Choose Worker, agent, and process flows.

3

Test

Run a safe health check.

4

Use

Agents use approved capabilities.