Quick start

ScopeHold is a low-friction secrets layer for human-plus-agent teams. The core workflow is simple: paste a secret once, assign it to the right scope, grant the right humans or agents access, and let the audit log explain what happened later.

First setup

1. 1Create or open a workspaceA workspace is the top-level operational boundary. It contains projects, providers, secrets, members, agents, and audit history.
2. 2Create a projectProjects keep operational work separated inside the workspace. Project-scoped resources are not visible to sibling projects unless they are assigned from the workspace.
3. 3Add a providerA provider is the named external system namespace, such as Supabase, GitHub, Stripe, Cloudflare, or a generic provider.
4. 4Create a secretA secret is an encrypted credential under a provider. Add a clear name, optional description, and the credential value.
5. 5Grant accessAssign the secret to projects where needed, then grant direct access to the specific members or agents that should reveal or resolve it.
6. 6Onboard an agentCreate an agent provisioning prompt. The prompt supports the recommended ScopeHold CLI path and a complete API-only fallback, and it points agents to optional ScopeHold Agent Guidance for their runtime.
7. 7Review the audit logUse the audit log to confirm who created, changed, revealed, resolved, archived, or attempted to access sensitive resources.

Recommended first project

Start with one real operational project and one real provider. Add one human member and one agent, grant one secret, and confirm the member can reveal it while the agent can resolve it. That gives you the full ScopeHold model without creating unnecessary setup work.