30-Minute Workshop

Secrets & AI Tools

How to use secrets safely when working with AI coding tools

Interactive activity

Live demo

Cheat sheet

Foundations

What is a secret?

A secret is any value that grants access to a system, service, or data. If it leaks, someone else can use it.

API keys and tokens
Passwords and passphrases
Database connection strings
Environment variables containing credentials
Private keys and certificates
OAuth client secrets

Can you think of secrets you use day to day?

Workshop

You need AI help, and the tool needs a secret

You're debugging or building with AI and the tool needs:

an API token
a password
a .env value
a database credential

What do you do next?

Activity

Safe or unsafe?

Scenario	Verdict
Paste an API key into chat to help debug	Unsafe
Use 1Password CLI to load a secret into an env var	Safe
Use a personal account for a company token	Unsafe
Use Lovable's secret manager	Safe
Paste a `.env` file into a prompt "just for a minute"	Unsafe

Press R to reveal answers one at a time

The Rule

Don't paste secrets into chat.
Use approved secret flows.

Never

Paste secrets into chat
Paste into collaborative workspaces
Use personal accounts for company secrets
Paste secrets into prompts, docs, tickets, or screenshots

Instead

Store secrets in 1Password
Use CLI, secret references, or env vars
Use tool-native secret managers
Use company-approved accounts and tools

Chat is not a secret manager

Hands-on

1Password CLI → secret reference → coding tool

1

Install the 1Password skill: npx skills add jem-open/jem-agent-skills@1password-secret-references

2

Sign in to 1Password CLI

3

Retrieve the secret reference

4

Load that secret reference into the approved coding tool

5

Never paste the raw value into the prompt

The pattern

Secret Manager → Secret Reference → Approved Tool

Copy Secret → Paste into Chat

Cheat Sheet

If you're doing X, use Y

If you are doing…	Use…	Avoid…
AI-assisted coding in terminal	1Password CLI + approved coding tool	pasting token into chat
Browser-based workflow	1Password browser extension / autofill	manual copy-paste
App builder workflow	Lovable secret manager	putting secrets in prompts
Automation workflow	n8n credential or secret store	hardcoding secrets
Internal AI workflow	Approved internal agent skill	raw secret in prompt text

If you pasted it, rotate it.

Takeaway

Don't paste. Rotate if you did.

Use approved secret-handling workflows so the tool gets access without exposing the value in prompts, history, or transcripts.

Remember

Secret manager → approved retrieval → approved tool
Chat is not a secret manager
The tool may differ, the pattern does not

If a secret is pasted by mistake

Act immediately — delete the message
Assume the secret is exposed
Revoke or rotate it
Update anything that depends on it
Report through the approved internal process

Secrets & AI Tools

What is a secret?

You need AI help, and the tool needs a secret

Safe or unsafe?

Don't paste secrets into chat.Use approved secret flows.

Never

Instead

1Password CLI → secret reference → coding tool

The pattern

If you're doing X, use Y

Don't paste. Rotate if you did.

Remember

If a secret is pasted by mistake

Don't paste secrets into chat.
Use approved secret flows.