Runner Secrets Live on the Platform Now – the Token Is All You Need Locally
Anthropic API keys and git tokens now live in the Spedy vault, not in the runner's .env. The setup wizard asks for less, a new Secrets tab under Settings → Runners manages the values, and a migration banner walks existing admins through the switch.
Until this week a runner needed four or five local environment variables: API URL, runner token, Anthropic key, GitHub token, sometimes Bitbucket on top. Now it needs two. Everything else is delivered by the platform at startup.
Secrets live on the platform
The runner authenticates against the Spedy API with its rnt_… token and receives its full runtime bundle back: Anthropic key, git tokens, MCP credentials. Values are encrypted at rest with AES-256-GCM and delivered over TLS — they never touch disk on the runner, only process memory and the env vars of individual job containers.
The only things you still need locally:
SPEDY_API_URL=https://api.spedy.ai
SPEDY_RUNNER_TOKEN=rnt_…
When you create a new token, Spedy shows you the exact snippet to paste into your .env and checks right there whether the Anthropic key already sits in the vault.
New Secrets tab under Settings → Runners
A fourth tab Secrets now lives under Settings → Runners. It manages:
- Anthropic API key — the only officially supported LLM provider today. OpenAI and Gemini are not on the list yet.
- Custom env vars — anything else your runner job needs (project-specific flags, feature toggles, …).
Each entry shows:
- Scope + provider + env-var name
- A masked preview (e.g.
sk-a****abcd) - Timestamps for creation, last rotation, last use
The plaintext leaves the database at exactly one point: the runner's /runners/bootstrap call. Even admins can't read it back after saving — to rotate you just enter a new value.
GitHub and Bitbucket come from Integrations
If you already have GitHub or Bitbucket connected under Settings → Integrations, you do not need to create a secret for them. The runner pulls the token straight from the active integration on every bootstrap (and mints a short-lived installation token for GitHub App installs).
A small banner on the Secrets tab makes this explicit so nobody duplicates the token by accident.
Setup wizard: three steps instead of four
The wizard you get to via spedy-runner setup has shrunk:
- AI backend — "Anthropic API (platform-managed)" or "Local Claude installation (Max/Pro)"
- Configuration — pool size (how many parallel runners)
- Review & Connect — create the token, run a readiness check
The old "Git Connections" step is gone — GitHub/Bitbucket come from Integrations automatically. The Anthropic key is no longer collected in the wizard either; instead the Review step shows a checklist:
| Item | Status |
|---|---|
ANTHROPIC_API_KEY in the vault |
✓ or ⚠ (deep-links to the Secrets tab if missing) |
| GitHub / Bitbucket from Integrations | ✓ or ⚠ (deep-links to Integrations if missing) |
If the Anthropic key is missing, the wizard still creates the runner token but won't send the bundle to the local CLI until you add the secret. That prevents runners from going online just to fail on the first job.
Migration for existing admins
If you already have runners running, a migration banner shows up at the top of the runners page with two steps:
- Store your Anthropic API key in the vault — direct link to the Secrets tab.
- Restart the supervisor once — the banner prints the exact command:
docker compose pull
docker compose up -d --force-recreate spedy-supervisor
The banner disappears automatically as soon as ANTHROPIC_API_KEY exists in the vault. As long as you leave the old value in your local .env, the local value wins over the platform value — so you can do the switchover at your own pace and remove the line later once everything is green. The runner re-fetches the bundle every 15 minutes, so rotations propagate without another restart.
Your keys, your responsibility
Because the runner now talks to Anthropic directly with your key, the Secrets tab carries a reminder at the top:
- The cost is yours. Spedy does not cap, proxy, or subsidise token spend. Whatever the agent burns bills directly to the account behind the key.
- Set limits on both ends. Budgets and rate limits in the Anthropic dashboard; per-job token budgets under Runner Teams inside Spedy. Agent loops can spiral into six-figure cache-read counts if left uncapped.
- No secrets in the repo. The agent reads the full working tree as context. Any
.env, private key, or committed token it finds can end up echoed in logs, commits, or PR descriptions.
Summary
| Change | What it means |
|---|---|
/runners/bootstrap |
Runner fetches secrets from the platform on startup |
| New Secrets tab | Anthropic key + custom env vars managed centrally |
| Git via Integrations | GitHub/Bitbucket picked up automatically |
| Setup wizard | Three steps instead of four; no Anthropic/git input |
| Env-var hint in the token modal | .env snippet + readiness checklist right after token creation |
| Migration banner | Walks existing admins through the two-step switchover |
| Responsibility notice | Cost, limits, and repo hygiene surfaced on the Secrets tab |
Frequently asked questions
Quick answers to the most common questions about this topic.
Do I need to reconfigure my runner?
Where do I put the Anthropic API key now?
What happens to my GitHub and Bitbucket tokens?
Who pays for Claude usage?
Keep reading
Epic Grouping, Bulk Actions in the Backlog, and Opus 4.7
Group stories under their Epics, act on many tickets at once in the backlog and Issues Hub, and use Claude Opus 4.7 as the new runner default.
Knowledge Hub, Per-Repo Base Branches, and a Cleaner Settings Experience
A new StackOverflow-style Knowledge Hub with voting, replies, and AI consolidation. Plus: per-repository configurable base branches, a consolidated settings layout, and noticeably calmer ticket editing.
MCP for Everyone, Cache Metrics & Job Notifications
MCP integration is now available on all plans, runner jobs display cache token metrics, and notifications keep you informed when jobs complete, fail, or need input.