Start
Quick start
Set up your first workspace, project, provider, secret, member, and agent without turning ScopeHold into a policy exercise.
Updated May 23, 2026
ScopeHold is a low-friction secrets layer for human-plus-agent teams. The core workflow is simple: paste a secret once, assign it to the right scope, grant the right humans or agents access, and let the audit log explain what happened later.
First setup
- 1Create or open a workspaceA workspace is the top-level operational boundary. It contains projects, providers, secrets, members, agents, and audit history.
- 2Create a projectProjects keep operational work separated inside the workspace. Project-scoped resources are not visible to sibling projects unless they are assigned from the workspace.
- 3Add a providerA provider is the named external system namespace, such as Supabase, GitHub, Stripe, Cloudflare, or a generic provider.
- 4Create a secretA secret is an encrypted credential under a provider. Add a clear name, optional description, and the credential value.
- 5Grant accessAssign the secret to projects where needed, then grant direct access to the specific members or agents that should reveal or resolve it.
- 6Onboard an agentCreate an agent provisioning prompt. The prompt supports the recommended ScopeHold CLI path and a complete API-only fallback, and it points agents to optional ScopeHold Agent Guidance for their runtime.
- 7Review the audit logUse the audit log to confirm who created, changed, revealed, resolved, archived, or attempted to access sensitive resources.
Recommended first project
Set up a real operational workflow: add a provider, store a credential, create or select a named agent, grant the access it needs, resolve the credential at runtime, and confirm the audit entry. Add a member when you also want a human reveal path in the same project.