> ## Documentation Index
> Fetch the complete documentation index at: https://docs.neus.network/llms.txt
> Use this file to discover all available pages before exploring further.

# Encrypted secrets

> Store, list, and revoke portable encrypted secrets through MCP.

Three public MCP tools manage **encrypted secrets** tied to your NEUS Profile. Values are sealed with AES-256-GCM and **never returned in plaintext** through MCP.

Sign in first — OAuth or a Profile access key ([Auth](./auth)). Use the signed-in profile context from **`neus_context`** before create or revoke.

| Tool                     | Purpose                                               |
| ------------------------ | ----------------------------------------------------- |
| **`neus_secret_create`** | Store a named secret as an encrypted proof            |
| **`neus_secret_list`**   | List secret metadata (alias, qHash, type) — no values |
| **`neus_secret_revoke`** | Revoke a secret proof by qHash                        |

## Create (`neus_secret_create`)

```json theme={"dark"}
{
  "walletAddress": "0x...",
  "alias": "OPENAI_API_KEY",
  "secretType": "single",
  "content": "<your-secret-value>"
}
```

| Field           | Notes                                                            |
| --------------- | ---------------------------------------------------------------- |
| `walletAddress` | Must match your authenticated Profile wallet                     |
| `alias`         | Letters, numbers, underscore; must start with a letter           |
| `secretType`    | `single` (default) or `bundle` (JSON object string in `content`) |
| `content`       | Plaintext input — encrypted at rest; never echoed back via MCP   |

## List (`neus_secret_list`)

```json theme={"dark"}
{
  "walletAddress": "0x...",
  "limit": 50,
  "offset": 0
}
```

Without Bearer auth, the tool returns an empty list and `authRequired: true` — it does not leak metadata.

## Revoke (`neus_secret_revoke`)

```json theme={"dark"}
{
  "walletAddress": "0x...",
  "qHash": "..."
}
```

Requires authenticated ownership of the secret proof.

## Security

* Never paste secret values into chat logs or public issues.
* Prefer OAuth or Profile keys in MCP config only — not in app browser bundles.
* Rotate or revoke through **`neus_secret_revoke`** and re-create if a value is exposed.

<CardGroup cols={2}>
  <Card title="Auth" icon="lock" href="./auth" />

  <Card title="Current user" icon="user" href="./me" />
</CardGroup>
